https://gdprhub.eu/api.php?action=feedcontributions&user=JS&feedformat=atomGDPRhub - User contributions [en]2024-03-29T06:15:49ZUser contributionsMediaWiki 1.39.6https://gdprhub.eu/index.php?title=OGH_-_6Ob48/21h&diff=20315OGH - 6Ob48/21h2021-10-01T12:09:39Z<p>JS: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=OGH<br />
|Court_With_Country=OGH (Austria)<br />
<br />
|Case_Number_Name=6Ob48/21h<br />
|ECLI=ECLI:AT:OGH0002:2021:0060OB00048.21H.0806.000<br />
<br />
|Original_Source_Name_1=RIS<br />
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=4530863f-3472-44c4-9677-4f6b4edaecdb&Position=1&Abfrage=Justiz&Gericht=&Rechtssatznummer=&Rechtssatz=&Fundstelle=&AenderungenSeit=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=DSGVO&Dokumentnummer=JJT_20210806_OGH0002_0060OB00048_21H0000_000<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=06.08.2021<br />
|Date_Published=22.09.2021<br />
|Year=2021<br />
<br />
|GDPR_Article_1=Article 80 GDPR<br />
|GDPR_Article_Link_1=Article 80 GDPR<br />
<br />
<br />
|National_Law_Name_1=§ 28a KSchG<br />
|National_Law_Link_1=https://www.jusline.at/gesetz/kschg/paragraf/28a<br />
|National_Law_Name_2=§ 29 KSchG<br />
|National_Law_Link_2=https://www.jusline.at/gesetz/kschg/paragraf/29<br />
<br />
|Party_Name_1=Verein für Konsumenten Information (VKI)<br />
|Party_Link_1=https://verbraucherrecht.at/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Pending appeal<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=<br />
}}<br />
<br />
The Austrian Supreme Court decided to put a case on hold until the CJEU determined whether the GDPR precludes national legislation that grants consumer organisations the legitimacy to take legal action without a mandate and a violation of the rights of a particular individual.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The plaintiff (the Austrian association Verein für Konsumenten Information) sued the defendant (an online shopping platform operating throughout Austria) over several business practices, terms and conditions they found in violation with consumer protection law and the GDPR. More precisely, the association criticized several non-transparent contractual clauses on interests and creditworthiness checks as well as the defendant making decisions based on classifications by external credit scoring agencies in violation of [[Article 22 GDPR|Article 22 GDPR]].<br />
<br />
The defendant argued that the association had no right to take legal action under applicable data protection law. In this regard, the appealing court already decided that the association lacks the legitimacy to assert data protection violations.<br />
<br />
=== Holding ===<br />
The OGH decided that the previous court failed to take into account that the systematic infringement of [[Article 22 GDPR|Article 22 GDPR]] in connection with consumer credit ratings could in fact allow the association to take legal action under the GDPR. The court decided that the appeal is admissible because the legitimacy of the plaintiffs associations under §§ 28 and 29 of the Austrian Consumer Protection Act (Konsumentenschutzgesetz - KSchG) is not ultimately clarified. The court refers to a parallel case of the plaintiff currently pending at the CJEU as part of an preliminary ruling procedure.<br />
<br />
In this regard, the CJEU has to decide on whether the GDPR precludes national rules from granting associations the power to take legal action against unfair business practices or violations of consumer protection laws without a mandate and irrespective of the violation of specific rights of individual data subjects (see [[OGH - 6Ob77/20x|here]]). Until this decision is delivered by the CJEU the present procedure is put on hold.<br />
== Comment ==<br />
For further information on the corresponding preliminary reference see [[OGH - 6Ob77/20x|here]].<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
<br />
court<br />
Supreme Court<br />
<br />
<br />
Decision date<br />
08/06/2021<br />
<br />
<br />
Business number<br />
6Ob48 / 21h<br />
<br />
<br />
head<br />
The Supreme Court, as a court of appeal by the Senate President Hon.-Prof. Dr. Gitschthaler as chairman, the court councilors Univ.-Prof. Dr. Kodek and Dr. Nowotny, the court councilor Dr. Faber and Hofrat Mag. Pertmayr as further judges in the case of the plaintiff, Verein für Konsumenteninformation, 1060 Vienna, Linke Wienzeile 18, represented by Kosesnik-Wehrle & Langer Rechtsanwälte KG in Vienna, against the defendant U ***** GmbH , *****, represented by Pressl Endl Heinrich Bamberger Rechtsanwälte GmbH in Salzburg, for omission and publication of the judgment, on the appeals by both parties against the judgment of the Linz Higher Regional Court as the court of appeal of November 26, 2020, GZ 3 R 128 / 20v-15 , with which the judgment of the Salzburg Regional Court of August 14, 2020, GZ 4 Cg 67 / 19w-9, was partially amended, rightly recognized in a closed session and decided:<br />
<br />
<br />
Saying<br />
<br />
The appeal of the defendant, insofar as it is against the cease-and-desist clause 1.1. of the appeal judgment (Clause 1), not given.<br />
Insofar as it is directed against the omission requirement item 2 of the appeal judgment (business practice 1), the appeal of the defendant will be followed and the dismissing decision of the first court (there item 3.1. Of the judgment) will be restored.<br />
With regard to point 4 of the judgment of the appellate court, the proceedings will be interrupted until the decision of the European Court of Justice on the request for a preliminary ruling made by the Supreme Court on November 25, 2020 re 6 Ob 77 / 20x. Once the preliminary ruling has been received, the proceedings will be continued ex officio.<br />
The decision on the request of the plaintiff to authorize it to publish the plaintiff's verdict, as well as the request of the defendant to authorize it to publish the dismissing verdict, are reserved for the final decision.<br />
The decision on the costs of the appeal proceedings is reserved for the final decision.<br />
<br />
<br />
text<br />
Reasons for the decision:<br />
[1] The plaintiff is an association entitled to sue within the meaning of § 29 KSchG.<br />
[2] The defendant is a mail order company operating throughout Austria, which continuously concludes contracts with consumers. It bases its contracts on general terms and conditions, which include the following clauses:<br />
"9. Payment:<br />
What payment options do you have for your order?<br />
9.1. Purchase on invoice:<br />
In the case of purchase on account (payment by bank transfer), the invoice amount is due within 14 days of receipt of the goods.<br />
9.2. Partial payment:<br />
With us, you have the option of making partial payments if you have the appropriate creditworthiness and an order value of up to EUR 4,000.00. You can find more information, in particular about the amount and number of installments, at www.u *****. At / part-payment.<br />
In the case of an advance payment, the amount of the agreed installments is reduced and the total burden is lower. The balance remaining after the advance payment can be paid in partial amounts. For the 1st month after purchase, no installment costs are charged. From the 2nd month onwards, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account settlement, this results in an effective interest rate of 21.7% p.a. By sending you an account statement by post or email, we will inform you about your current account balance on a monthly basis. You are deemed to have approved the account balance if you do not object to it within two months of receipt.<br />
9.3. Credit card:<br />
You can pay with us online by credit card. Simply select credit card under payment method. We accept Mastercard, Visa, Diners Club and Discover (no prepaid credit cards). In addition to the credit card company, the card number and the period of validity, we need the check digit of your credit card. The check digit is a three-digit number on the back of your credit card that ensures payment security on the Internet.<br />
9.4. Advance payment:<br />
We reserve the right to make the delivery of the goods dependent on an advance payment.<br />
9.5. PayPal:<br />
[...] "<br />
[3] Via the link “www.u *****. At / part-payment” you get to an installment calculator. There, the customer can enter the term of the installment payments within a specified range. The maximum term is 48 months, the minimum monthly rate is EUR 10. When you enter the item price and the desired term, the system calculates the installment surcharge, the monthly minimum installment, the amount of the last installment, the final installment price and indicates the effective annual interest rate.<br />
[4] The information on the credit check can be found in the data protection information of the defendant (www.u *****. At / datenschutz), which has the following content in excerpts:<br />
"3.2.2.2. Credit checks:<br />
If you have selected a so-called insecure payment method (purchase on account or installment purchase) when placing an order, the following applies:<br />
U ***** and other mail order companies of the O ***** - Group basically give their customers the opportunity to purchase goods using unsafe payment methods (e.g. purchase on account, purchase on finance).<br />
[...]<br />
Companies that generally allow their customers to use unsafe payment methods have a legitimate interest in protecting themselves as well as possible from the occurrence of payment defaults. This is done, among other things, by checking the creditworthiness of the customer before granting the option of using insecure payment methods. As part of this check, we are entitled to ask U ***** GmbH whether they have received negative credit information about the respective customers from the other mail-order companies of the O ***** Group. Furthermore, we are entitled to transmit negative creditworthiness information on the respective customers to U ***** GmbH, which in turn can provide information to the above-mentioned other mail-order companies of the O ***** Group before these other mail-order companies give the customer the option of using unsafe payment methods.<br />
The creditworthiness information is information about outstanding payment claims and information from which there is a direct risk of payment default (e.g. insolvency, debt counseling, deferral due to insolvency). Before we transmit negative information about outstanding payment claims to U ***** GmbH, the customers concerned are informed of the possibility of transmission on a reminder. We are also entitled to transmit information about extremely atypical order processes (e.g. simultaneous ordering of a large number of goods to the same address using different customer accounts) to U ***** GmbH and to request such information from U ***** GmbH. This is to avoid payment defaults and to protect our customers from misuse of their accounts or their identity.<br />
In cases in which a customer wants to order with an insecure method of payment, we are entitled to use information received as part of the order to calculate a probability of default (internal scoring). The calculation of the failure probability by means of the internal scoring is based on a recognized mathematical statistical procedure. The data used as part of the internal scoring result in particular from a combination of the following data categories (not exhaustive): address data, age, desired payment conditions, order method and product range groups. As part of the internal scoring, only data that the customer has given us is used. On the basis of the named data categories, conclusions can be drawn about the probability of default on payment due to the mathematical statistical procedure used. For example, a certain place of residence of the person placing the order, combined with a certain category of goods, can lead to an increased probability of default and thus a restriction on the payment method. There is no payment type restriction based solely on the place of residence of the person placing the order. In addition, it has been statistically proven, for example, that there is a lower risk of payment default when using a chargeable e-mail provider than is the case when using a free provider. As part of the examination of whether an unsafe method of payment (installment / purchase on account) can be granted, we are also entitled to obtain credit information about you from an external credit agency. We work with the following credit agency C ***** GmbH, *****.<br />
For the purpose of calling up creditworthiness information, the following data is transmitted to the external credit agency: first name, last name, postal address, date of birth and, in the event of default in payment, the outstanding balance. The data mentioned can also be transmitted to C ***** GmbH, ***** for the purpose of personal and address validation and for fraud prevention (see also the following point).<br />
As part of the credit check, we can use an automated process to decide whether you will be given the desired unsecure payment method (installment / purchase on account). For example, when a negative credit report is sent by a credit agency or when an insufficient score is calculated as part of the internal scoring, the desired payment method can be automatically rejected. You can assert the right to us to manually review the automated decision. In addition, you have the right to express your own point of view and the right to contest the decision.<br />
The processing of your data as part of the credit check is based on Article 6 Paragraph 1b GDPR and Article 6 Paragraph 1f GDPR. We basically have a legitimate interest in carrying out a credit check when you select an unsafe payment method (installment / purchase on account). "<br />
[5] Under the heading “Data protection notice” and the text “Information on payment method restrictions: You would like to know why you cannot use all payment methods with us? We will be happy to provide you with information here. ", The customer arrives at a link with the title" Request information ".<br />
[6] Over 90% of the orders placed with the defendant are made online, the remaining 10% by telephone. The average order value is EUR 650.<br />
[7] In the case of an online order, the payment method "purchase on account" is preset. If a customer wants partial payment, he has to change the payment option himself.<br />
[8] In the case of an initial order, the defendant limits the order value to EUR 500 in the case of an installment purchase or purchase on account; this limit is gradually increased for subsequent orders if there have been no defaults in payment.<br />
[9] In the case of a new customer who orders on open account or partial payment, an inquiry is automatically made to the credit agency with the data provided by the customer. If the customer is unknown there, the defendant rejects a business relationship with partial payment or on account and notifies the customer that he would be supplied via credit card or PayPal. If the customer is known, there are three ways of scoring with three different colors. If the color is red, the unsecure payment method is also rejected, if it is yellow, an employee of the defendant checks, and if it is green, the order is accepted. In the case of a yellow scoring, the employee himself inspects the database and decides whether and, if so, under what conditions the order will be released.<br />
[10] If a customer makes use of the option of requesting information, further information is obtained, for example the request for proof of income.<br />
[11] The plaintiff association desires - insofar as it is still the subject of the appeal proceedings - to oblige the defendant to refrain from using the following clauses in general terms and conditions or contract forms in business dealings with consumers:<br />
(Clause 1 = point 1.1. Of the judgment of the court of appeal): "From the second month onwards, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account offsetting, this results in an effective interest rate of 21.7% p.a. "<br />
[12] Furthermore, he seeks to oblige the defendant in accordance with § 28a KSchG to refrain from doing business with consumers in connection with consumer credit relationships,<br />
(Business practice 1 = point 2. of the judgment of the court of appeal): "To agree on partial payment purchases and / or partial payment options with a total credit of at least EUR 200 to pay consumers for goods purchased without checking the creditworthiness of the consumer on the basis of sufficient information, in particular without To obtain information on the income situation and / or financial situation of these consumers; ”as well as<br />
(Business practice 2 = point 4 of the judgment of the appellate court): "to carry out the credit check when lending on the basis of a scoring, without granting the consumer the right to express his own point of view and to contest his classification."<br />
[13] Furthermore, the plaintiff association applied for authorization to publish the judgment.<br />
[14] The defendant requested that the action be dismissed as well as authorization to publish the judgment dismissing the complaint, and, in the event that the action was upheld, the setting of a performance period of at least six months.<br />
[15] The first court granted the cease and desist and publication requests with regard to clauses 1 and 2 without setting a performance deadline and dismissed the further claim and the counter-publication request of the defendant.<br />
[16] The appeals court partially followed the appeals of both parties. It confirmed the admission of the action with regard to clauses 1 and 2, whereby it set a six-month performance period, and changed the judgment of the first court with regard to business practice 1 in the plaintiff's sense, also with a six-month performance period.<br />
[17] It allowed the appeal because it was partly about clauses or business practices that had not yet been assessed by the Supreme Court and that were important for a larger number of consumers.<br />
[18] In their opposing revisions, the parties in dispute request the amendment of the decision of the appellate court in the sense of a complete lodging of the complaint or a dismissal of the complaint, whereby the defendant does not contest the approval of the complaint with regard to the omission of clause 2 (point 1.2. Of the appeal judgment). In the alternative, the defendant files an application for annulment.<br />
[19] The plaintiff requests that the defendant's appeal be dismissed or, in the alternative, that it should not be followed. The defendant requests that the plaintiff's appeal be disregarded.<br />
[20] The revisions of both parties are permissible. The defendant's revision is partly justified.<br />
[21] The submissions of the parties as well as the reasons for the decision of the lower courts are presented when dealing with the disputed clause and the disputed business practices.<br />
<br />
<br />
Legal assessment<br />
[22] A. On the defendant's appeal:<br />
[23] The defendant's revision is permissible because the requirements for the credit check in accordance with Section 7 (1) VKrG require clarification. It is partially justified.<br />
[24] Regarding clause 1: "From the second month, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account offsetting, this results in an effective interest rate of 21.7% p.a. "<br />
[25] The plaintiff complains that the clause is not transparent because it is not pointed out that the defendant derives the right to charge compound interest during the year from the monthly capitalization. The clause is also grossly disadvantageous within the meaning of Section 879 Paragraph 3 ABGB, because the accounting period is shortened to one month in deviation from Section 355 Paragraph 2 UGB. The amount of the effective interest rate is grossly disadvantageous and violates § 934 ABGB. In addition, it is not evident that the effective interest rate results from the compound interest effect.<br />
[26] The defendant denies the claims. There was no lack of transparency because the effective annual interest rate was stated and it was clearly recognizable that the difference to the annual interest rate could only result from the compound interest effect (and not from the inclusion of processing fees or the like).<br />
[27] The lower courts forbade the clause because it violated the transparency requirement of Section 6 (3) KSchG. The creditor of a monetary claim can only demand compound interest according to Section 1000 (2) sentence 1 ABGB if the parties have expressly agreed to this. According to the case law, the agreement of the capitalization of interest during the year is not transparent if the user of the terms and conditions does not point out the resulting compound interest effect. The lack of transparency is also not eliminated by listing the monthly interest rate, the annual interest rate and the effective annual interest rate or by using the rate calculator, because the annual interest rate can also result from other cost factors such as commissions, costs of contract establishment, processing fees, etc., so that the average consumer can choose the difference between the annual interest rate and the effective annual interest rate does not have to infer the agreement of compound interest.<br />
[28] The revision is not justified.<br />
[29] 1.1. According to Section 1000 (2) sentence 1 ABGB, compound interest is due - as the appellate court has already correctly pointed out - only in the case of an "express" agreement between the parties. It is necessary that the compound interest is conditional, for which sufficiently clear conclusive explanations are sufficient (Perner in Schwimann / Kodek, ABGB4 § 1000 Rz 17 and Fn 50; Ertl in Fenyves / Kerschner / Vonkilch, Klang³ § 1000 ABGB Rz 15; Dullinger in Artmann , UGB³ § 355 margin no. 3). The agreement of compound interest in the General Terms and Conditions of the defendant must also meet the requirements of Section 6 (3) KSchG.<br />
[30] 1.2. According to the established case law of the Supreme Court, the reference to an account closing during the year or the reference to the fact that interest is "calculated, capitalized and charged" during the year is not sufficient to make the consumer realize that compound interest should also be charged. Such clauses were therefore regularly judged to be non-transparent within the meaning of Section 6 (3) KSchG (1 Ob 124 / 18v [Clause 17]; 9 Ob 11 / 18k [Clause 6]; 8 Ob 128 / 17g [Clauses 7 and 8]; 10 Ob 31 / 16f [Clause c]; 4 Ob 179 / 02f [Clause Z 38 Paragraph 1]; see RS0117273).<br />
[31] 1.3. The present clause does not expressly provide for an account closing during the year, but rather the "current account settlement" of the partial payment costs, which are specified as 1.65% per month (19.8% p.a.) of the outstanding balance; The effective interest rate of 21.7% p.a. resulting from "current account settlement" is also given.<br />
[32] 2.1. The current account agreement is regulated in Section 355 of the UGB. Section 355 (1) of the Austrian Commercial Code defines the current account agreement as an agreement with an entrepreneur with whom someone has a business relationship, that the mutual claims and services arising from the connection, plus interest, are invoiced and at regular intervals by offsetting and determining the amount for one or the other the other part of the resulting surplus will be compensated. According to Section 355, Paragraph 4, Clause 4 of the Austrian Commercial Code, anyone who is entitled to a surplus when closing the accounts can demand compound interest.<br />
[33] 2.2. If one or more features of the current account defined by law in Section 355 (1) UGB are missing, such as the entrepreneurial status of a part or the permanent business relationship, one speaks of an improper current account agreement to which the current account law can apply analogously (1 Ob 83 / 01i). For example, the analogous application of § 355 UGB was affirmed for the case of an agreement between non-entrepreneurs (1 Ob 83 / 01i; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 4).<br />
[34] 2.3. On the basis of the regulation of § 1000 Paragraph 2 Sentence 1 ABGB, it is assumed when an improper current account relationship is agreed that compound interest is only due if expressly agreed (within the meaning of § 1000 Paragraph 2 Sentence 1 ABGB) (cf. 1 Ob 83 / 01i; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 4; aM Dullinger in Artmann, UGB³ § 355 Rz 3).<br />
[35] 2.4. The current account must be based on a business relationship established for a certain period of time, which means that the repeated conclusion of transactions can be expected (Dullinger in Artmann, UGB³ § 355 Rz 4; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 5) . Whether a single purchase in installments can already meet this requirement (critical for assessing an installment credit as a current account relationship Dullinger in Artmann, UGB³ § 355 Rz 4) or whether the (qualified) business relationship required by § 355 (1) UGB is missing when concluding a single purchase in installments, so that there is at most an "improper" current account relationship does not have to be conclusively assessed in the present case:<br />
[36] 3.1. Because even under the assumption that the agreement of a "current account settlement" in the case of a hire purchase would already be directly subject to § 355 UGB, this would not change the fact that the clause to be assessed here is not clear and understandable for the consumer regarding the accrual of compound interest within the meaning of § 6 Paragraph 3 of the KSchG. For the economically inexperienced average customer of a mail order company, neither the use of the term "current account" nor the indication of the different interest rates results in the fact that a periodic determination of the outstanding invoice amount including capitalization of the "partial payment costs" and their (renewed) Interest takes place. This does not result from the difference between the annual interest rate and the effective annual interest rate disclosed in the clause. The appellate court has already correctly stated that such a difference can also have reasons other than the offsetting of compound interest (Section 510 (3) ZPO). In addition, the duration of the billing period of one month can only be deduced from the specification of a monthly interest rate for the installment costs. The fact that with the regulation of the "current account settlement" in truth only the monthly settlement of compound interest is to be effected is therefore not generally recognizable for the average consumer. Insofar as the revision argues that the effective annual interest rate can only exceed the stated annual interest rate because of the compound interest effect, because no other costs would flow into it, this circumstance is not immediately apparent to the consumer from the disputed clause.<br />
[37] 3.2. If it is further argued in the revision that the financial burden is easily recognizable for the consumer through the indication of the effective annual interest rate and through the instrument of the rate calculator, nothing can be gained from this for the defendant. If the effective agreement of compound interest is missing - due to a violation of the transparency requirement of § 6 Abs 3 KSchG - the defendant is not entitled to the specified effective interest rate and the total amount determined by the installment calculator.<br />
[38] The defendant's appeal against the prohibition of Clause 1 is therefore not justified.<br />
<br />
[39] Regarding business practice 1: The defendant's business practice of agreeing partial payment purchases and / or partial payment options with a total credit of at least EUR 200 to pay for the goods purchased by consumers from her is objected to, without the creditworthiness of the consumer based on sufficient To check information, in particular without obtaining information on the income situation and / or financial situation of these consumers.<br />
[40] The plaintiff sees a systematic violation of the obligation to carry out a credit check according to § 7 VKrG in the fact that the defendant does not collect any information about the consumer's income and other liabilities in the case of installment transactions. In response to the plaintiff's letter of warning, the defendant justified its high interest rate with the fact that no collateral had to be provided for the loans it had granted and no evidence of employment or regular cash inflow had to be provided. The database query and the analysis of previous purchasing behavior did not allow any conclusions to be drawn about income and no prognostic decision as to whether the consumer would be able to meet his payment obligations in full. The database query can be used to obtain information about the consumer's income and assets, but it cannot replace it.<br />
[41] The defendant counters this by saying that obtaining information from a database, specifically by making an inquiry to the specified credit bureau, fulfills the requirements of Section 7 of the VKrG. In any case, the entrepreneur does not have to approach the consumer. The scope of the investigation obligations depends on the individual case and is lower in the case of small goods loans than in the case of typical bank loans. The defendant allows partial payments for purchase prices between EUR 50 and EUR 4,000 with a term of no more than four years; the majority of the consumer loans granted are around the average amount of EUR 650.<br />
[42] The first court dismissed the request for an injunction aimed at the omission of business practice 1.<br />
[43] The appeals court granted the injunction. Legally, it discussed that the lender had to carry out the credit check on the basis of sufficient information. In order to assess the creditworthiness, the current income and liquid funds of the consumer should first be used and compared with the costs of the loan and the current repayment; a database query should only be carried out if this was additionally necessary.<br />
[44] In its appeal, the defendant asserts that there is no provision for prioritizing the procurement of information and that the credit check can be designed flexibly. Consumers' income and financial situation always show certain fluctuations and uncertainties, which have an impact especially in the case of low monthly payments, so that the information to be obtained from the consumer must be higher, the lower the loan amount. In such cases, however, obtaining detailed information is unusual and does not provide a more reliable statement about creditworthiness than the credit information obtained and the observation of ongoing consumer behavior. Obtaining information is therefore sufficient for small goods loans.<br />
[45] The appeal is justified.<br />
[46] 1.1. Anyone who violates a legal requirement or prohibition in business dealings with consumers in connection with consumer credit relationships and thereby affects the general interests of consumers can be sued for an injunction without prejudice to Section 28 (1) KSchG (Section 28a (1) KSchG).<br />
[47] 1.2. Section 28a KSchG extends the scope of representative actions to include illegal business practices by entrepreneurs in business dealings with consumers, limited to the contractual relationships and non-contractual legal relationships specified in Section 28a (1) KSchG (10 Ob 13 / 17k; 7 Ob 168 / 17g; Kathrein / Schoditsch in KBB6 § 28a KSchG margin no.1). The behavior complained of must also be of importance for a large number of contracts or non-contractual legal relationships, which is especially the case for illegal behavior in mass business (RS0121961). This is to effectively prevent any behavior found to be inadmissible under the law that has developed into a practice of the respective entrepreneur (6 Ob 228 / 16x).<br />
[48] 1.3. The right to cease and desist - including that according to § 28a KSchG (cf. 10 Ob 13 / 17k; 4 Ob 179 / 18d [Business Practice 2], etc.) - is substantiated by two elements: an obligation to cease and desist and the risk that this obligation to cease and desist is violated. If one of these elements is missing, there is no right to cease and desist (RS0037660).<br />
[49] 2.1. The subject of the claim for action and the verdict is always only the specific infringing act (RS0037478 [T2, T5]). However, it is permissible to describe the inadmissible behavior in a generalized way and to clarify it by means of "especially" listed individual bans. Even with such a more general version of the injunction, the verdict must cover the core of the infringing act (4 Ob 206 / 19a; 9 Ob 57 / 20b).<br />
[50] The claim is to be understood as it is meant by the plaintiff in conjunction with the claimant's account (RS0037440).<br />
[51] 2.2. The core of the business practice 1 complained of by the plaintiff consists in giving consumers the option of partial payment without obtaining information on income “and / or” assets for the purpose of checking creditworthiness. After the request for a judgment and the submission of the action in its entirety, the plaintiff association seeks a ban that is not restricted to specific groups of cases or the existence of specific circumstances; Rather, he takes the position that the information mentioned must always be obtained for the partial payment transactions offered by the defendant.<br />
[52] The defendant did not claim that it obtained information on the income situation or the assets of its prospective buyers before granting a partial payment option. Only when a consumer requests information about the reasons why he cannot use all payment methods from the defendant (i.e. after rejecting an “unsafe” payment method requested by the consumer) does the defendant request proof of income, for example.<br />
[53] 2.3. It must therefore be examined whether the defendant, by systematically granting consumers the option to pay in installments without obtaining information about their income and / or assets, violates a legal prohibition, specifically § 7 VKrG. The decisive factor is whether the obligation can be derived from Section 7 VKrG to always provide information about the income and / or the assets of the defendant in the case of partial payment transactions, as offered by the defendant, from a credited purchase price of EUR 200 (see Section 4 (1) VKrG) To catch up with prospective buyers.<br />
[54] It should be made clear in this context that the injunction does not simply cover the execution of the credit check without obtaining information about the income and / or assets of the prospective buyers, but only the procedure of granting consumers partial payment options without having obtained such information. The practice of refusing to allow partial payment without obtaining information about the income and / or asset situation is therefore not objected to.<br />
[55] 3.1. According to § 7 VKrG applicable to hire purchase contracts in accordance with § 25 Paragraph 1 VKrG (see Foglar-Deinhardstein in Fenyves / Kerschner / Vonkilch, Klang³ § 25 VKrG margin no. 69), the lender must check the creditworthiness of the consumer using sufficient information before concluding the credit agreement, which he - if necessary - demands from the consumer; if necessary, he must also obtain information from an available database (Section 7 (1) VKrG). If this check reveals considerable doubts about the ability of the consumer to fully fulfill his obligations under the credit agreement, the lender must inform the consumer of these concerns about his creditworthiness (Section 7 (2) VKrG).<br />
[56] With this, the obligation of the lender to assess the creditworthiness of the consumer in accordance with Article 8 Paragraph 1 of the Consumer Credit Directive (Directive 2008/48 / EC on consumer credit agreements) was implemented in Austrian law. According to Article 8 (1) of the Consumer Credit Directive, the member states ensure that, before concluding the credit agreement, the lender assesses the creditworthiness of the consumer on the basis of sufficient information that he may obtain from the consumer and, if necessary, on the basis of information from the database in question. Those Member States that legally oblige lenders to assess creditworthiness on the basis of a query in a corresponding database can retain this requirement.<br />
[57] 3.2. The obligation of the lender to assess the creditworthiness of the consumer in accordance with Article 8 Paragraph 1 of the Consumer Credit Directive is intended to protect consumers from irresponsible granting of credit that exceeds their financial capabilities and can lead to their insolvency (ECJ April 27, 2014, C- 565/12, LCL Le Crédit Lyonnais SA, ECLI: EU: C: 2014: 190, margin no. 42 f). In addition, the credit check prescribed by Union law is intended to serve the general interest in a functioning credit industry in the internal market (Recital 6, 7 Consumer Credit Directive; Pesek in Klang³ § 7 VKrG margin no. 1).<br />
[58] 3.3. According to Section 7 (1) VKrG and Article 8 (1) Consumer Credit Directive, the lender must determine the facts that are relevant for assessing creditworthiness (Pesek in Klang³, Section 7, margin no.27). As a means of information, in Section 7 (1) VKrG as well as in Art 8 Consumer Credit Directive, the gathering of information from the consumer and the gathering of information from an available database are mentioned.<br />
[59] The creditworthiness is not to be understood as the creditworthiness in the banking sense. Rather, it is about the assessment of whether the consumer will probably be able to meet his payment obligations from the loan agreement in full, without being pushed to the edge of his economic existence (ExplanationRV 650 BlgNR 24. GP 17; Pesek in Klang³ § 7 VKrG Rz 6 f; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law [2010] § 7 VKrG Rz 6 f; see Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 4 ff ).<br />
[60] 4.1. What content the information must have in order to be regarded as sufficient within the meaning of Section 7 (1) VKrG is not described in more detail by law.<br />
[61] 4.2. In the literature it is consistently stated that the regular (net) income of the consumer and his other liquid assets must be taken into account in the credit check (Pesek in Klang³ § 7 VKrG margin no.10; Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG margin no 9; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG margin no. 9; Dehn in Apathy / Iro / Koziol, Austrian bank contract law IV² [2012] margin no. 2/54). However, the inclusion of non-liquid assets in the creditworthiness check is disputed (for: Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 9; Pesek in Klang³ § 7 VKrG Rz 12; on the other hand: Wendehorst, What is creditworthiness? In Blaschek / Habersberger , Worthy of a loan? 29 f; Foglar-Deinhardstein, The credit check for consumer credit [2013] margin nos. 237 ff; Weissel, consumer credit: Inquiry obligations of the bank, RdW 2014, 176, 179; ders, The protection provided by § 7 VKrG under civil law: legal beneficence oder Irrweg, ZFR 2012, 208, 210; differentiating [between smaller consumer loans and loans for the creation of housing, which were also covered by § 7 VKrG up to the entry into force of the HIKrG on March 21, 2016] Zöchling-Jud in Wendehorst / Zöchling-Jud , Consumer credit law [2010] § 7 VKrG margin no. 10; Dehn in Apathy / Iro / Koziol, Austrian bank contract law IV² margin no. 2/55). The consumer's income and cash and cash equivalents as well as - depending on the legal opinion represented - other assets are to be compared with the regular burdens of the consumer (Pesek in Klang³ § 7 VKrG Rz 17; Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 10, 12; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG margin no.12).<br />
[62] 4.3. It is agreed that the extent of the lender's duty to investigate depends on the circumstances of the individual case, with regard to the amount of the loan value disbursed, the duration of the loan, the informative value and credibility of the information provided by the consumer as well as the existence or duration and intensity the business relationship between the lender and the consumer is important (Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 14; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG Rz 14; 8 Ob 76 / 16h).<br />
[63] 4.4. In this sense, Leupold / Ramharter argue for small (commodity) loans that the lender's exploration obligations are limited; In this context, they refer to information from databases and reject any further credit check that is incompatible with the goal of efficient markets (Leupold / Ramharter, The violation of the duty to warn of poor creditworthiness under the Consumer Credit Act, ÖBA 2011, 469, 486).<br />
[64] 4.5. The content of the "sufficient" information according to Section 7 (1) VKrG must also be specified depending on the circumstances of the individual case. Only in this way, with the help of the statutory general clause, can the legal obligations for the wide range of consumer loans covered by Section 7 (1) VKrG - which includes financial aid within the meaning of Section 25 (1) VKrG, up to large bank loans - be made possible.<br />
[65] 4.6. This interpretation is in line with the case law of the ECJ on Article 8 (1) of the Consumer Credit Directive.<br />
[66] In the case of CA Consumer Finance SA, the ECJ made it clear that the directive does not conclusively specify the information on the basis of which the lender has to assess the creditworthiness of the consumer, nor does it specify in more detail whether and how this information is to be checked . Rather, the lender has a margin of discretion when it comes to whether the information he has is sufficient to certify the creditworthiness of the loan applicant and whether he has to check this against other criteria. The lender must therefore assess in each case, taking into account the circumstances of the individual case, whether the information available to him by the loan applicant is relevant and sufficient. Whether the information is sufficient can vary depending on the circumstances of the conclusion of the credit agreement, the personal situation of the consumer or the credit volume provided for in the contract (ECJ December 18, 2014, C-449/13, CA Consumer Finance SA, ECLI: EU : C: 2014: 2464, margin no.36 f).<br />
[67] 4.7. The lender is therefore not required to obtain information on the income or financial situation of the consumer or on both aspects in addition to obtaining information from an external credit bureau in the case of small goods loans.<br />
[68] 5.1. According to the findings, the defendant obtains information from an external credit agency before granting partial payment options to new customers and limits the loan amount to EUR 500; for existing customers, it uses any negative credit information available in the group of companies. In addition, she uses the amount of the loan for her decision-making; In addition, there are other factors that are not related to the creditworthiness within the meaning of Section 7 (1) VKrG, such as the residential address.<br />
[69] 5.2. Particularly in the case of the small loans of goods from a loan amount of EUR 200 or more that are covered by the injunction, the consideration of existing negative creditworthiness information, as can be derived from the information available in the group of companies as well as from the information provided by the credit bureau, does not appear to be entirely unsuitable for credit checks. This is also not claimed by the plaintiff association. Especially in the case of very low loan amounts (from EUR 200) it is not evident that additional knowledge of the net income (at least, unless it is associated with a detailed survey of all, even minor financial burdens) necessarily enables a more reliable assessment than the query whether due to existing “negative creditworthiness information”, the collectability of even very small loan amounts must be called into question from the outset. The same considerations apply to the need to identify the consumer's realizable assets.<br />
[70] 5.3. Whether the business practice objected to by the plaintiff association, when granting partial payment options in addition to obtaining information from an external credit agency, not to obtain information about the income and / or asset situation of consumers, violates § 7 VKrG, cannot be answered in general, but depends on the circumstances of the case.<br />
[71] It cannot be ruled out that the partial payment options granted by the defendant exist in which it is necessary to obtain information about the income situation or the financial situation of the consumer or about both. However, the request for an injunction does not focus on more specific cases, but aims to forbid the defendant, in all cases, from agreeing on partial payment purchases or partial payment options with consumers with a total credit of at least EUR 200, without information on the income situation and / or their financial position to catch up.<br />
[72] However, this request is not justified because of the discretion granted to the lender in the credit check. The revision is therefore justified insofar as it is directed against the prohibition of the objected business practice 1. The judgment of the first court had to be restored to this extent.<br />
<br />
[73] B. On the plaintiff's appeal:<br />
[74] The appeal by the plaintiff is permissible because the active legitimation of the plaintiff association according to §§ 28a, 29 KSchG to assert violations of the GDPR has not been conclusively clarified.<br />
[75] Regarding the performance period (Clause 1):<br />
[76] The appellate court set the deadline for the omission of the use and the appeal to the clause 1 because of the necessary organizational measures for the EDP conversion with six months. Such a necessity is understandable in the present case, in which the inadmissible clause also affects the settlement of all ongoing partial payment contracts (see RS0041265 [T12]). The performance deadline set by the court of appeal is therefore not objectionable in the present individual case.<br />
[77] Regarding business practice 2:<br />
[78] The defendant's business practice of carrying out the credit check when lending is based on a scoring without giving the consumer the right to express his own point of view and contest his classification is objected to.<br />
[79] With this request for an injunction, the plaintiff did not object to the "internal scoring" practiced by the defendant, but to the decision based on the classification made by the external credit agency. The procedure violates Art 22 GDPR for reasons explained in detail.<br />
[80] The defendant objected that the plaintiff association was not granted any active legitimation regarding data protection information obligations. The alleged violation of Art 22 GDPR did not exist.<br />
[81] The first court dismissed the claim because the defendant's approach was in accordance with Section 7 VKrG and Article 22 GDPR.<br />
[82] The appellate court confirmed the dismissal of the action on the grounds that the plaintiff association lacks the active legitimation to assert data protection violations.<br />
[83] As a significant legal issue, the appeal claims that the appellate court disregarded the fact that the systematic violation of Art 22 GDPR occurred in connection with consumer credit relationships, so that the collective action according to § 28a KSchG was opened.<br />
[84] 1. In proceedings 6 Ob 77 / 20x, the Supreme Court submitted the following question to the European Court of Justice for a preliminary ruling (RS0133358):<br />
Are the regulations in Chapter VIII, in particular in Art. 80 Paragraphs 1 and 2 and Art. 84 Paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons during processing personal data, on the free movement of data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation, OJ L 119/1 of May 4, 2016, p. 1; hereinafter "GDPR") contrary to national regulations that - in addition to the powers of intervention of the supervisory authorities responsible for monitoring and enforcement of the regulation and the legal protection options of the data subjects - on the one hand, to grant competitors and, on the other hand, the authority to associations, institutions and chambers authorized under national law, regardless of the violation of specific rights of individual data subjects, because of violations of the GDPR and without the instruction of a person concerned against the infringer by way of an action before the civil courts under the Ges Prohibition of engaging in unfair business practices or violating consumer protection law or prohibiting the use of ineffective general terms and conditions?<br />
[85] 2.1. The plaintiff in the present proceedings is the same association authorized to take legal action under § 29 KSchG who intervenes on 6 Ob 77 / 20x - there based on § 28 KSchG. In the present proceedings, based on § 28a KSchG, he seeks the omission of a business practice used by the defendant in connection with consumer credit relationships, which violates the GDPR.<br />
[86] 2.2. The question of whether the plaintiff is legitimized to assert violations of the GDPR by way of a representative action according to § 29 KSchG is also relevant for the decision of the present legal dispute, because the question of whether the Union legislature with the legal protection instruments provided for in the GDPR is possibly a wanted to create a final regulation for the enforcement of data protection violations, also for lawsuits against business practices that are in connection with the legal relationships mentioned in § 28a KSchG, is essential for the decision.<br />
[87] For example, the Supreme Court referred its request for a preliminary ruling on 6 Ob 77 / 20x also to the representative action "from the point of view of a violation of a consumer protection law" - i.e. in accordance with § 28a KSchG - (cf. . 2020, I ZR 186/17 [Rz 47, 57 ff]).<br />
[88] 3. The Supreme Court of Justice has to assume a general effect of the preliminary ruling of the European Court of Justice and to apply this also for other than the immediate case. For reasons of process economy, the present procedure must therefore be interrupted (RS0110583).<br />
<br />
[89] C. Regarding the publication requests:<br />
[90] Because of the interruption of the proceedings with regard to the request for an injunction regarding business practice 2 (violation of the GDPR), the requests for publication made by both parties cannot be conclusively decided. A partial judgment is not appropriate here because further publication after the final judgment is available would entail additional costs that would not be incurred in the case of joint publication (Ciresa, Handbuch der Judgment Publication4 [2017] margin no. 4.28; RS0079937 [T1]).<br />
<br />
[91] D. Decision on costs:<br />
[92] The reservation of costs is based on Section 52 (4) ZPO.<br />
<br />
<br />
European Case Law Identifier<br />
ECLI: AT: OGH0002: 2021: 0060OB00048.21H.0806.000<br />
<br />
<br />
</pre></div>JShttps://gdprhub.eu/index.php?title=OGH_-_6Ob48/21h&diff=20314OGH - 6Ob48/21h2021-10-01T12:09:11Z<p>JS: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=OGH<br />
|Court_With_Country=OGH (Austria)<br />
<br />
|Case_Number_Name=6Ob48/21h<br />
|ECLI=ECLI:AT:OGH0002:2021:0060OB00048.21H.0806.000<br />
<br />
|Original_Source_Name_1=RIS<br />
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=4530863f-3472-44c4-9677-4f6b4edaecdb&Position=1&Abfrage=Justiz&Gericht=&Rechtssatznummer=&Rechtssatz=&Fundstelle=&AenderungenSeit=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=DSGVO&Dokumentnummer=JJT_20210806_OGH0002_0060OB00048_21H0000_000<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=06.08.2021<br />
|Date_Published=22.09.2021<br />
|Year=2021<br />
<br />
|GDPR_Article_1=Article 80 GDPR<br />
|GDPR_Article_Link_1=Article 80 GDPR<br />
<br />
<br />
|National_Law_Name_1=§ 28a KSchG<br />
|National_Law_Link_1=https://www.jusline.at/gesetz/kschg/paragraf/28a<br />
|National_Law_Name_2=§ 29 KSchG<br />
|National_Law_Link_2=https://www.jusline.at/gesetz/kschg/paragraf/29<br />
<br />
|Party_Name_1=Verein für Konsumenten Information (VKI)<br />
|Party_Link_1=https://verbraucherrecht.at/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Pending appeal<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Riealeksandra<br />
}}<br />
<br />
The Austrian Supreme Court decided to put a case on hold until the CJEU determined whether the GDPR precludes national legislation that grants consumer organisations the legitimacy to take legal action without a mandate and a violation of the rights of a particular individual.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The plaintiff (the Austrian association Verein für Konsumenten Information) sued the defendant (an online shopping platform operating throughout Austria) over several business practices, terms and conditions they found in violation with consumer protection law and the GDPR. More precisely, the association criticized several non-transparent contractual clauses on interests and creditworthiness checks as well as the defendant making decisions based on classifications by external credit scoring agencies in violation of [[Article 22 GDPR|Article 22 GDPR]].<br />
<br />
The defendant argued that the association had no right to take legal action under applicable data protection law. In this regard, the appealing court already decided that the association lacks the legitimacy to assert data protection violations.<br />
<br />
=== Holding ===<br />
The OGH decided that the previous court failed to take into account that the systematic infringement of [[Article 22 GDPR|Article 22 GDPR]] in connection with consumer credit ratings could in fact allow the association to take legal action under the GDPR. The court decided that the appeal is admissible because the legitimacy of the plaintiffs associations under §§ 28 and 29 of the Austrian Consumer Protection Act (Konsumentenschutzgesetz - KSchG) is not ultimately clarified. The court refers to a parallel case of the plaintiff currently pending at the CJEU as part of an preliminary ruling procedure.<br />
<br />
In this regard, the CJEU has to decide on whether the GDPR precludes national rules from granting associations the power to take legal action against unfair business practices or violations of consumer protection laws without a mandate and irrespective of the violation of specific rights of individual data subjects (see [[OGH - 6Ob77/20x|here]]). Until this decision is delivered by the CJEU the present procedure is put on hold.<br />
== Comment ==<br />
For further information on the corresponding preliminary reference see [[OGH - 6Ob77/20x|here]].<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
<br />
court<br />
Supreme Court<br />
<br />
<br />
Decision date<br />
08/06/2021<br />
<br />
<br />
Business number<br />
6Ob48 / 21h<br />
<br />
<br />
head<br />
The Supreme Court, as a court of appeal by the Senate President Hon.-Prof. Dr. Gitschthaler as chairman, the court councilors Univ.-Prof. Dr. Kodek and Dr. Nowotny, the court councilor Dr. Faber and Hofrat Mag. Pertmayr as further judges in the case of the plaintiff, Verein für Konsumenteninformation, 1060 Vienna, Linke Wienzeile 18, represented by Kosesnik-Wehrle & Langer Rechtsanwälte KG in Vienna, against the defendant U ***** GmbH , *****, represented by Pressl Endl Heinrich Bamberger Rechtsanwälte GmbH in Salzburg, for omission and publication of the judgment, on the appeals by both parties against the judgment of the Linz Higher Regional Court as the court of appeal of November 26, 2020, GZ 3 R 128 / 20v-15 , with which the judgment of the Salzburg Regional Court of August 14, 2020, GZ 4 Cg 67 / 19w-9, was partially amended, rightly recognized in a closed session and decided:<br />
<br />
<br />
Saying<br />
<br />
The appeal of the defendant, insofar as it is against the cease-and-desist clause 1.1. of the appeal judgment (Clause 1), not given.<br />
Insofar as it is directed against the omission requirement item 2 of the appeal judgment (business practice 1), the appeal of the defendant will be followed and the dismissing decision of the first court (there item 3.1. Of the judgment) will be restored.<br />
With regard to point 4 of the judgment of the appellate court, the proceedings will be interrupted until the decision of the European Court of Justice on the request for a preliminary ruling made by the Supreme Court on November 25, 2020 re 6 Ob 77 / 20x. Once the preliminary ruling has been received, the proceedings will be continued ex officio.<br />
The decision on the request of the plaintiff to authorize it to publish the plaintiff's verdict, as well as the request of the defendant to authorize it to publish the dismissing verdict, are reserved for the final decision.<br />
The decision on the costs of the appeal proceedings is reserved for the final decision.<br />
<br />
<br />
text<br />
Reasons for the decision:<br />
[1] The plaintiff is an association entitled to sue within the meaning of § 29 KSchG.<br />
[2] The defendant is a mail order company operating throughout Austria, which continuously concludes contracts with consumers. It bases its contracts on general terms and conditions, which include the following clauses:<br />
"9. Payment:<br />
What payment options do you have for your order?<br />
9.1. Purchase on invoice:<br />
In the case of purchase on account (payment by bank transfer), the invoice amount is due within 14 days of receipt of the goods.<br />
9.2. Partial payment:<br />
With us, you have the option of making partial payments if you have the appropriate creditworthiness and an order value of up to EUR 4,000.00. You can find more information, in particular about the amount and number of installments, at www.u *****. At / part-payment.<br />
In the case of an advance payment, the amount of the agreed installments is reduced and the total burden is lower. The balance remaining after the advance payment can be paid in partial amounts. For the 1st month after purchase, no installment costs are charged. From the 2nd month onwards, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account settlement, this results in an effective interest rate of 21.7% p.a. By sending you an account statement by post or email, we will inform you about your current account balance on a monthly basis. You are deemed to have approved the account balance if you do not object to it within two months of receipt.<br />
9.3. Credit card:<br />
You can pay with us online by credit card. Simply select credit card under payment method. We accept Mastercard, Visa, Diners Club and Discover (no prepaid credit cards). In addition to the credit card company, the card number and the period of validity, we need the check digit of your credit card. The check digit is a three-digit number on the back of your credit card that ensures payment security on the Internet.<br />
9.4. Advance payment:<br />
We reserve the right to make the delivery of the goods dependent on an advance payment.<br />
9.5. PayPal:<br />
[...] "<br />
[3] Via the link “www.u *****. At / part-payment” you get to an installment calculator. There, the customer can enter the term of the installment payments within a specified range. The maximum term is 48 months, the minimum monthly rate is EUR 10. When you enter the item price and the desired term, the system calculates the installment surcharge, the monthly minimum installment, the amount of the last installment, the final installment price and indicates the effective annual interest rate.<br />
[4] The information on the credit check can be found in the data protection information of the defendant (www.u *****. At / datenschutz), which has the following content in excerpts:<br />
"3.2.2.2. Credit checks:<br />
If you have selected a so-called insecure payment method (purchase on account or installment purchase) when placing an order, the following applies:<br />
U ***** and other mail order companies of the O ***** - Group basically give their customers the opportunity to purchase goods using unsafe payment methods (e.g. purchase on account, purchase on finance).<br />
[...]<br />
Companies that generally allow their customers to use unsafe payment methods have a legitimate interest in protecting themselves as well as possible from the occurrence of payment defaults. This is done, among other things, by checking the creditworthiness of the customer before granting the option of using insecure payment methods. As part of this check, we are entitled to ask U ***** GmbH whether they have received negative credit information about the respective customers from the other mail-order companies of the O ***** Group. Furthermore, we are entitled to transmit negative creditworthiness information on the respective customers to U ***** GmbH, which in turn can provide information to the above-mentioned other mail-order companies of the O ***** Group before these other mail-order companies give the customer the option of using unsafe payment methods.<br />
The creditworthiness information is information about outstanding payment claims and information from which there is a direct risk of payment default (e.g. insolvency, debt counseling, deferral due to insolvency). Before we transmit negative information about outstanding payment claims to U ***** GmbH, the customers concerned are informed of the possibility of transmission on a reminder. We are also entitled to transmit information about extremely atypical order processes (e.g. simultaneous ordering of a large number of goods to the same address using different customer accounts) to U ***** GmbH and to request such information from U ***** GmbH. This is to avoid payment defaults and to protect our customers from misuse of their accounts or their identity.<br />
In cases in which a customer wants to order with an insecure method of payment, we are entitled to use information received as part of the order to calculate a probability of default (internal scoring). The calculation of the failure probability by means of the internal scoring is based on a recognized mathematical statistical procedure. The data used as part of the internal scoring result in particular from a combination of the following data categories (not exhaustive): address data, age, desired payment conditions, order method and product range groups. As part of the internal scoring, only data that the customer has given us is used. On the basis of the named data categories, conclusions can be drawn about the probability of default on payment due to the mathematical statistical procedure used. For example, a certain place of residence of the person placing the order, combined with a certain category of goods, can lead to an increased probability of default and thus a restriction on the payment method. There is no payment type restriction based solely on the place of residence of the person placing the order. In addition, it has been statistically proven, for example, that there is a lower risk of payment default when using a chargeable e-mail provider than is the case when using a free provider. As part of the examination of whether an unsafe method of payment (installment / purchase on account) can be granted, we are also entitled to obtain credit information about you from an external credit agency. We work with the following credit agency C ***** GmbH, *****.<br />
For the purpose of calling up creditworthiness information, the following data is transmitted to the external credit agency: first name, last name, postal address, date of birth and, in the event of default in payment, the outstanding balance. The data mentioned can also be transmitted to C ***** GmbH, ***** for the purpose of personal and address validation and for fraud prevention (see also the following point).<br />
As part of the credit check, we can use an automated process to decide whether you will be given the desired unsecure payment method (installment / purchase on account). For example, when a negative credit report is sent by a credit agency or when an insufficient score is calculated as part of the internal scoring, the desired payment method can be automatically rejected. You can assert the right to us to manually review the automated decision. In addition, you have the right to express your own point of view and the right to contest the decision.<br />
The processing of your data as part of the credit check is based on Article 6 Paragraph 1b GDPR and Article 6 Paragraph 1f GDPR. We basically have a legitimate interest in carrying out a credit check when you select an unsafe payment method (installment / purchase on account). "<br />
[5] Under the heading “Data protection notice” and the text “Information on payment method restrictions: You would like to know why you cannot use all payment methods with us? We will be happy to provide you with information here. ", The customer arrives at a link with the title" Request information ".<br />
[6] Over 90% of the orders placed with the defendant are made online, the remaining 10% by telephone. The average order value is EUR 650.<br />
[7] In the case of an online order, the payment method "purchase on account" is preset. If a customer wants partial payment, he has to change the payment option himself.<br />
[8] In the case of an initial order, the defendant limits the order value to EUR 500 in the case of an installment purchase or purchase on account; this limit is gradually increased for subsequent orders if there have been no defaults in payment.<br />
[9] In the case of a new customer who orders on open account or partial payment, an inquiry is automatically made to the credit agency with the data provided by the customer. If the customer is unknown there, the defendant rejects a business relationship with partial payment or on account and notifies the customer that he would be supplied via credit card or PayPal. If the customer is known, there are three ways of scoring with three different colors. If the color is red, the unsecure payment method is also rejected, if it is yellow, an employee of the defendant checks, and if it is green, the order is accepted. In the case of a yellow scoring, the employee himself inspects the database and decides whether and, if so, under what conditions the order will be released.<br />
[10] If a customer makes use of the option of requesting information, further information is obtained, for example the request for proof of income.<br />
[11] The plaintiff association desires - insofar as it is still the subject of the appeal proceedings - to oblige the defendant to refrain from using the following clauses in general terms and conditions or contract forms in business dealings with consumers:<br />
(Clause 1 = point 1.1. Of the judgment of the court of appeal): "From the second month onwards, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account offsetting, this results in an effective interest rate of 21.7% p.a. "<br />
[12] Furthermore, he seeks to oblige the defendant in accordance with § 28a KSchG to refrain from doing business with consumers in connection with consumer credit relationships,<br />
(Business practice 1 = point 2. of the judgment of the court of appeal): "To agree on partial payment purchases and / or partial payment options with a total credit of at least EUR 200 to pay consumers for goods purchased without checking the creditworthiness of the consumer on the basis of sufficient information, in particular without To obtain information on the income situation and / or financial situation of these consumers; ”as well as<br />
(Business practice 2 = point 4 of the judgment of the appellate court): "to carry out the credit check when lending on the basis of a scoring, without granting the consumer the right to express his own point of view and to contest his classification."<br />
[13] Furthermore, the plaintiff association applied for authorization to publish the judgment.<br />
[14] The defendant requested that the action be dismissed as well as authorization to publish the judgment dismissing the complaint, and, in the event that the action was upheld, the setting of a performance period of at least six months.<br />
[15] The first court granted the cease and desist and publication requests with regard to clauses 1 and 2 without setting a performance deadline and dismissed the further claim and the counter-publication request of the defendant.<br />
[16] The appeals court partially followed the appeals of both parties. It confirmed the admission of the action with regard to clauses 1 and 2, whereby it set a six-month performance period, and changed the judgment of the first court with regard to business practice 1 in the plaintiff's sense, also with a six-month performance period.<br />
[17] It allowed the appeal because it was partly about clauses or business practices that had not yet been assessed by the Supreme Court and that were important for a larger number of consumers.<br />
[18] In their opposing revisions, the parties in dispute request the amendment of the decision of the appellate court in the sense of a complete lodging of the complaint or a dismissal of the complaint, whereby the defendant does not contest the approval of the complaint with regard to the omission of clause 2 (point 1.2. Of the appeal judgment). In the alternative, the defendant files an application for annulment.<br />
[19] The plaintiff requests that the defendant's appeal be dismissed or, in the alternative, that it should not be followed. The defendant requests that the plaintiff's appeal be disregarded.<br />
[20] The revisions of both parties are permissible. The defendant's revision is partly justified.<br />
[21] The submissions of the parties as well as the reasons for the decision of the lower courts are presented when dealing with the disputed clause and the disputed business practices.<br />
<br />
<br />
Legal assessment<br />
[22] A. On the defendant's appeal:<br />
[23] The defendant's revision is permissible because the requirements for the credit check in accordance with Section 7 (1) VKrG require clarification. It is partially justified.<br />
[24] Regarding clause 1: "From the second month, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account offsetting, this results in an effective interest rate of 21.7% p.a. "<br />
[25] The plaintiff complains that the clause is not transparent because it is not pointed out that the defendant derives the right to charge compound interest during the year from the monthly capitalization. The clause is also grossly disadvantageous within the meaning of Section 879 Paragraph 3 ABGB, because the accounting period is shortened to one month in deviation from Section 355 Paragraph 2 UGB. The amount of the effective interest rate is grossly disadvantageous and violates § 934 ABGB. In addition, it is not evident that the effective interest rate results from the compound interest effect.<br />
[26] The defendant denies the claims. There was no lack of transparency because the effective annual interest rate was stated and it was clearly recognizable that the difference to the annual interest rate could only result from the compound interest effect (and not from the inclusion of processing fees or the like).<br />
[27] The lower courts forbade the clause because it violated the transparency requirement of Section 6 (3) KSchG. The creditor of a monetary claim can only demand compound interest according to Section 1000 (2) sentence 1 ABGB if the parties have expressly agreed to this. According to the case law, the agreement of the capitalization of interest during the year is not transparent if the user of the terms and conditions does not point out the resulting compound interest effect. The lack of transparency is also not eliminated by listing the monthly interest rate, the annual interest rate and the effective annual interest rate or by using the rate calculator, because the annual interest rate can also result from other cost factors such as commissions, costs of contract establishment, processing fees, etc., so that the average consumer can choose the difference between the annual interest rate and the effective annual interest rate does not have to infer the agreement of compound interest.<br />
[28] The revision is not justified.<br />
[29] 1.1. According to Section 1000 (2) sentence 1 ABGB, compound interest is due - as the appellate court has already correctly pointed out - only in the case of an "express" agreement between the parties. It is necessary that the compound interest is conditional, for which sufficiently clear conclusive explanations are sufficient (Perner in Schwimann / Kodek, ABGB4 § 1000 Rz 17 and Fn 50; Ertl in Fenyves / Kerschner / Vonkilch, Klang³ § 1000 ABGB Rz 15; Dullinger in Artmann , UGB³ § 355 margin no. 3). The agreement of compound interest in the General Terms and Conditions of the defendant must also meet the requirements of Section 6 (3) KSchG.<br />
[30] 1.2. According to the established case law of the Supreme Court, the reference to an account closing during the year or the reference to the fact that interest is "calculated, capitalized and charged" during the year is not sufficient to make the consumer realize that compound interest should also be charged. Such clauses were therefore regularly judged to be non-transparent within the meaning of Section 6 (3) KSchG (1 Ob 124 / 18v [Clause 17]; 9 Ob 11 / 18k [Clause 6]; 8 Ob 128 / 17g [Clauses 7 and 8]; 10 Ob 31 / 16f [Clause c]; 4 Ob 179 / 02f [Clause Z 38 Paragraph 1]; see RS0117273).<br />
[31] 1.3. The present clause does not expressly provide for an account closing during the year, but rather the "current account settlement" of the partial payment costs, which are specified as 1.65% per month (19.8% p.a.) of the outstanding balance; The effective interest rate of 21.7% p.a. resulting from "current account settlement" is also given.<br />
[32] 2.1. The current account agreement is regulated in Section 355 of the UGB. Section 355 (1) of the Austrian Commercial Code defines the current account agreement as an agreement with an entrepreneur with whom someone has a business relationship, that the mutual claims and services arising from the connection, plus interest, are invoiced and at regular intervals by offsetting and determining the amount for one or the other the other part of the resulting surplus will be compensated. According to Section 355, Paragraph 4, Clause 4 of the Austrian Commercial Code, anyone who is entitled to a surplus when closing the accounts can demand compound interest.<br />
[33] 2.2. If one or more features of the current account defined by law in Section 355 (1) UGB are missing, such as the entrepreneurial status of a part or the permanent business relationship, one speaks of an improper current account agreement to which the current account law can apply analogously (1 Ob 83 / 01i). For example, the analogous application of § 355 UGB was affirmed for the case of an agreement between non-entrepreneurs (1 Ob 83 / 01i; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 4).<br />
[34] 2.3. On the basis of the regulation of § 1000 Paragraph 2 Sentence 1 ABGB, it is assumed when an improper current account relationship is agreed that compound interest is only due if expressly agreed (within the meaning of § 1000 Paragraph 2 Sentence 1 ABGB) (cf. 1 Ob 83 / 01i; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 4; aM Dullinger in Artmann, UGB³ § 355 Rz 3).<br />
[35] 2.4. The current account must be based on a business relationship established for a certain period of time, which means that the repeated conclusion of transactions can be expected (Dullinger in Artmann, UGB³ § 355 Rz 4; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 5) . Whether a single purchase in installments can already meet this requirement (critical for assessing an installment credit as a current account relationship Dullinger in Artmann, UGB³ § 355 Rz 4) or whether the (qualified) business relationship required by § 355 (1) UGB is missing when concluding a single purchase in installments, so that there is at most an "improper" current account relationship does not have to be conclusively assessed in the present case:<br />
[36] 3.1. Because even under the assumption that the agreement of a "current account settlement" in the case of a hire purchase would already be directly subject to § 355 UGB, this would not change the fact that the clause to be assessed here is not clear and understandable for the consumer regarding the accrual of compound interest within the meaning of § 6 Paragraph 3 of the KSchG. For the economically inexperienced average customer of a mail order company, neither the use of the term "current account" nor the indication of the different interest rates results in the fact that a periodic determination of the outstanding invoice amount including capitalization of the "partial payment costs" and their (renewed) Interest takes place. This does not result from the difference between the annual interest rate and the effective annual interest rate disclosed in the clause. The appellate court has already correctly stated that such a difference can also have reasons other than the offsetting of compound interest (Section 510 (3) ZPO). In addition, the duration of the billing period of one month can only be deduced from the specification of a monthly interest rate for the installment costs. The fact that with the regulation of the "current account settlement" in truth only the monthly settlement of compound interest is to be effected is therefore not generally recognizable for the average consumer. Insofar as the revision argues that the effective annual interest rate can only exceed the stated annual interest rate because of the compound interest effect, because no other costs would flow into it, this circumstance is not immediately apparent to the consumer from the disputed clause.<br />
[37] 3.2. If it is further argued in the revision that the financial burden is easily recognizable for the consumer through the indication of the effective annual interest rate and through the instrument of the rate calculator, nothing can be gained from this for the defendant. If the effective agreement of compound interest is missing - due to a violation of the transparency requirement of § 6 Abs 3 KSchG - the defendant is not entitled to the specified effective interest rate and the total amount determined by the installment calculator.<br />
[38] The defendant's appeal against the prohibition of Clause 1 is therefore not justified.<br />
<br />
[39] Regarding business practice 1: The defendant's business practice of agreeing partial payment purchases and / or partial payment options with a total credit of at least EUR 200 to pay for the goods purchased by consumers from her is objected to, without the creditworthiness of the consumer based on sufficient To check information, in particular without obtaining information on the income situation and / or financial situation of these consumers.<br />
[40] The plaintiff sees a systematic violation of the obligation to carry out a credit check according to § 7 VKrG in the fact that the defendant does not collect any information about the consumer's income and other liabilities in the case of installment transactions. In response to the plaintiff's letter of warning, the defendant justified its high interest rate with the fact that no collateral had to be provided for the loans it had granted and no evidence of employment or regular cash inflow had to be provided. The database query and the analysis of previous purchasing behavior did not allow any conclusions to be drawn about income and no prognostic decision as to whether the consumer would be able to meet his payment obligations in full. The database query can be used to obtain information about the consumer's income and assets, but it cannot replace it.<br />
[41] The defendant counters this by saying that obtaining information from a database, specifically by making an inquiry to the specified credit bureau, fulfills the requirements of Section 7 of the VKrG. In any case, the entrepreneur does not have to approach the consumer. The scope of the investigation obligations depends on the individual case and is lower in the case of small goods loans than in the case of typical bank loans. The defendant allows partial payments for purchase prices between EUR 50 and EUR 4,000 with a term of no more than four years; the majority of the consumer loans granted are around the average amount of EUR 650.<br />
[42] The first court dismissed the request for an injunction aimed at the omission of business practice 1.<br />
[43] The appeals court granted the injunction. Legally, it discussed that the lender had to carry out the credit check on the basis of sufficient information. In order to assess the creditworthiness, the current income and liquid funds of the consumer should first be used and compared with the costs of the loan and the current repayment; a database query should only be carried out if this was additionally necessary.<br />
[44] In its appeal, the defendant asserts that there is no provision for prioritizing the procurement of information and that the credit check can be designed flexibly. Consumers' income and financial situation always show certain fluctuations and uncertainties, which have an impact especially in the case of low monthly payments, so that the information to be obtained from the consumer must be higher, the lower the loan amount. In such cases, however, obtaining detailed information is unusual and does not provide a more reliable statement about creditworthiness than the credit information obtained and the observation of ongoing consumer behavior. Obtaining information is therefore sufficient for small goods loans.<br />
[45] The appeal is justified.<br />
[46] 1.1. Anyone who violates a legal requirement or prohibition in business dealings with consumers in connection with consumer credit relationships and thereby affects the general interests of consumers can be sued for an injunction without prejudice to Section 28 (1) KSchG (Section 28a (1) KSchG).<br />
[47] 1.2. Section 28a KSchG extends the scope of representative actions to include illegal business practices by entrepreneurs in business dealings with consumers, limited to the contractual relationships and non-contractual legal relationships specified in Section 28a (1) KSchG (10 Ob 13 / 17k; 7 Ob 168 / 17g; Kathrein / Schoditsch in KBB6 § 28a KSchG margin no.1). The behavior complained of must also be of importance for a large number of contracts or non-contractual legal relationships, which is especially the case for illegal behavior in mass business (RS0121961). This is to effectively prevent any behavior found to be inadmissible under the law that has developed into a practice of the respective entrepreneur (6 Ob 228 / 16x).<br />
[48] 1.3. The right to cease and desist - including that according to § 28a KSchG (cf. 10 Ob 13 / 17k; 4 Ob 179 / 18d [Business Practice 2], etc.) - is substantiated by two elements: an obligation to cease and desist and the risk that this obligation to cease and desist is violated. If one of these elements is missing, there is no right to cease and desist (RS0037660).<br />
[49] 2.1. The subject of the claim for action and the verdict is always only the specific infringing act (RS0037478 [T2, T5]). However, it is permissible to describe the inadmissible behavior in a generalized way and to clarify it by means of "especially" listed individual bans. Even with such a more general version of the injunction, the verdict must cover the core of the infringing act (4 Ob 206 / 19a; 9 Ob 57 / 20b).<br />
[50] The claim is to be understood as it is meant by the plaintiff in conjunction with the claimant's account (RS0037440).<br />
[51] 2.2. The core of the business practice 1 complained of by the plaintiff consists in giving consumers the option of partial payment without obtaining information on income “and / or” assets for the purpose of checking creditworthiness. After the request for a judgment and the submission of the action in its entirety, the plaintiff association seeks a ban that is not restricted to specific groups of cases or the existence of specific circumstances; Rather, he takes the position that the information mentioned must always be obtained for the partial payment transactions offered by the defendant.<br />
[52] The defendant did not claim that it obtained information on the income situation or the assets of its prospective buyers before granting a partial payment option. Only when a consumer requests information about the reasons why he cannot use all payment methods from the defendant (i.e. after rejecting an “unsafe” payment method requested by the consumer) does the defendant request proof of income, for example.<br />
[53] 2.3. It must therefore be examined whether the defendant, by systematically granting consumers the option to pay in installments without obtaining information about their income and / or assets, violates a legal prohibition, specifically § 7 VKrG. The decisive factor is whether the obligation can be derived from Section 7 VKrG to always provide information about the income and / or the assets of the defendant in the case of partial payment transactions, as offered by the defendant, from a credited purchase price of EUR 200 (see Section 4 (1) VKrG) To catch up with prospective buyers.<br />
[54] It should be made clear in this context that the injunction does not simply cover the execution of the credit check without obtaining information about the income and / or assets of the prospective buyers, but only the procedure of granting consumers partial payment options without having obtained such information. The practice of refusing to allow partial payment without obtaining information about the income and / or asset situation is therefore not objected to.<br />
[55] 3.1. According to § 7 VKrG applicable to hire purchase contracts in accordance with § 25 Paragraph 1 VKrG (see Foglar-Deinhardstein in Fenyves / Kerschner / Vonkilch, Klang³ § 25 VKrG margin no. 69), the lender must check the creditworthiness of the consumer using sufficient information before concluding the credit agreement, which he - if necessary - demands from the consumer; if necessary, he must also obtain information from an available database (Section 7 (1) VKrG). If this check reveals considerable doubts about the ability of the consumer to fully fulfill his obligations under the credit agreement, the lender must inform the consumer of these concerns about his creditworthiness (Section 7 (2) VKrG).<br />
[56] With this, the obligation of the lender to assess the creditworthiness of the consumer in accordance with Article 8 Paragraph 1 of the Consumer Credit Directive (Directive 2008/48 / EC on consumer credit agreements) was implemented in Austrian law. According to Article 8 (1) of the Consumer Credit Directive, the member states ensure that, before concluding the credit agreement, the lender assesses the creditworthiness of the consumer on the basis of sufficient information that he may obtain from the consumer and, if necessary, on the basis of information from the database in question. Those Member States that legally oblige lenders to assess creditworthiness on the basis of a query in a corresponding database can retain this requirement.<br />
[57] 3.2. The obligation of the lender to assess the creditworthiness of the consumer in accordance with Article 8 Paragraph 1 of the Consumer Credit Directive is intended to protect consumers from irresponsible granting of credit that exceeds their financial capabilities and can lead to their insolvency (ECJ April 27, 2014, C- 565/12, LCL Le Crédit Lyonnais SA, ECLI: EU: C: 2014: 190, margin no. 42 f). In addition, the credit check prescribed by Union law is intended to serve the general interest in a functioning credit industry in the internal market (Recital 6, 7 Consumer Credit Directive; Pesek in Klang³ § 7 VKrG margin no. 1).<br />
[58] 3.3. According to Section 7 (1) VKrG and Article 8 (1) Consumer Credit Directive, the lender must determine the facts that are relevant for assessing creditworthiness (Pesek in Klang³, Section 7, margin no.27). As a means of information, in Section 7 (1) VKrG as well as in Art 8 Consumer Credit Directive, the gathering of information from the consumer and the gathering of information from an available database are mentioned.<br />
[59] The creditworthiness is not to be understood as the creditworthiness in the banking sense. Rather, it is about the assessment of whether the consumer will probably be able to meet his payment obligations from the loan agreement in full, without being pushed to the edge of his economic existence (ExplanationRV 650 BlgNR 24. GP 17; Pesek in Klang³ § 7 VKrG Rz 6 f; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law [2010] § 7 VKrG Rz 6 f; see Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 4 ff ).<br />
[60] 4.1. What content the information must have in order to be regarded as sufficient within the meaning of Section 7 (1) VKrG is not described in more detail by law.<br />
[61] 4.2. In the literature it is consistently stated that the regular (net) income of the consumer and his other liquid assets must be taken into account in the credit check (Pesek in Klang³ § 7 VKrG margin no.10; Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG margin no 9; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG margin no. 9; Dehn in Apathy / Iro / Koziol, Austrian bank contract law IV² [2012] margin no. 2/54). However, the inclusion of non-liquid assets in the creditworthiness check is disputed (for: Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 9; Pesek in Klang³ § 7 VKrG Rz 12; on the other hand: Wendehorst, What is creditworthiness? In Blaschek / Habersberger , Worthy of a loan? 29 f; Foglar-Deinhardstein, The credit check for consumer credit [2013] margin nos. 237 ff; Weissel, consumer credit: Inquiry obligations of the bank, RdW 2014, 176, 179; ders, The protection provided by § 7 VKrG under civil law: legal beneficence oder Irrweg, ZFR 2012, 208, 210; differentiating [between smaller consumer loans and loans for the creation of housing, which were also covered by § 7 VKrG up to the entry into force of the HIKrG on March 21, 2016] Zöchling-Jud in Wendehorst / Zöchling-Jud , Consumer credit law [2010] § 7 VKrG margin no. 10; Dehn in Apathy / Iro / Koziol, Austrian bank contract law IV² margin no. 2/55). The consumer's income and cash and cash equivalents as well as - depending on the legal opinion represented - other assets are to be compared with the regular burdens of the consumer (Pesek in Klang³ § 7 VKrG Rz 17; Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 10, 12; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG margin no.12).<br />
[62] 4.3. It is agreed that the extent of the lender's duty to investigate depends on the circumstances of the individual case, with regard to the amount of the loan value disbursed, the duration of the loan, the informative value and credibility of the information provided by the consumer as well as the existence or duration and intensity the business relationship between the lender and the consumer is important (Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 14; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG Rz 14; 8 Ob 76 / 16h).<br />
[63] 4.4. In this sense, Leupold / Ramharter argue for small (commodity) loans that the lender's exploration obligations are limited; In this context, they refer to information from databases and reject any further credit check that is incompatible with the goal of efficient markets (Leupold / Ramharter, The violation of the duty to warn of poor creditworthiness under the Consumer Credit Act, ÖBA 2011, 469, 486).<br />
[64] 4.5. The content of the "sufficient" information according to Section 7 (1) VKrG must also be specified depending on the circumstances of the individual case. Only in this way, with the help of the statutory general clause, can the legal obligations for the wide range of consumer loans covered by Section 7 (1) VKrG - which includes financial aid within the meaning of Section 25 (1) VKrG, up to large bank loans - be made possible.<br />
[65] 4.6. This interpretation is in line with the case law of the ECJ on Article 8 (1) of the Consumer Credit Directive.<br />
[66] In the case of CA Consumer Finance SA, the ECJ made it clear that the directive does not conclusively specify the information on the basis of which the lender has to assess the creditworthiness of the consumer, nor does it specify in more detail whether and how this information is to be checked . Rather, the lender has a margin of discretion when it comes to whether the information he has is sufficient to certify the creditworthiness of the loan applicant and whether he has to check this against other criteria. The lender must therefore assess in each case, taking into account the circumstances of the individual case, whether the information available to him by the loan applicant is relevant and sufficient. Whether the information is sufficient can vary depending on the circumstances of the conclusion of the credit agreement, the personal situation of the consumer or the credit volume provided for in the contract (ECJ December 18, 2014, C-449/13, CA Consumer Finance SA, ECLI: EU : C: 2014: 2464, margin no.36 f).<br />
[67] 4.7. The lender is therefore not required to obtain information on the income or financial situation of the consumer or on both aspects in addition to obtaining information from an external credit bureau in the case of small goods loans.<br />
[68] 5.1. According to the findings, the defendant obtains information from an external credit agency before granting partial payment options to new customers and limits the loan amount to EUR 500; for existing customers, it uses any negative credit information available in the group of companies. In addition, she uses the amount of the loan for her decision-making; In addition, there are other factors that are not related to the creditworthiness within the meaning of Section 7 (1) VKrG, such as the residential address.<br />
[69] 5.2. Particularly in the case of the small loans of goods from a loan amount of EUR 200 or more that are covered by the injunction, the consideration of existing negative creditworthiness information, as can be derived from the information available in the group of companies as well as from the information provided by the credit bureau, does not appear to be entirely unsuitable for credit checks. This is also not claimed by the plaintiff association. Especially in the case of very low loan amounts (from EUR 200) it is not evident that additional knowledge of the net income (at least, unless it is associated with a detailed survey of all, even minor financial burdens) necessarily enables a more reliable assessment than the query whether due to existing “negative creditworthiness information”, the collectability of even very small loan amounts must be called into question from the outset. The same considerations apply to the need to identify the consumer's realizable assets.<br />
[70] 5.3. Whether the business practice objected to by the plaintiff association, when granting partial payment options in addition to obtaining information from an external credit agency, not to obtain information about the income and / or asset situation of consumers, violates § 7 VKrG, cannot be answered in general, but depends on the circumstances of the case.<br />
[71] It cannot be ruled out that the partial payment options granted by the defendant exist in which it is necessary to obtain information about the income situation or the financial situation of the consumer or about both. However, the request for an injunction does not focus on more specific cases, but aims to forbid the defendant, in all cases, from agreeing on partial payment purchases or partial payment options with consumers with a total credit of at least EUR 200, without information on the income situation and / or their financial position to catch up.<br />
[72] However, this request is not justified because of the discretion granted to the lender in the credit check. The revision is therefore justified insofar as it is directed against the prohibition of the objected business practice 1. The judgment of the first court had to be restored to this extent.<br />
<br />
[73] B. On the plaintiff's appeal:<br />
[74] The appeal by the plaintiff is permissible because the active legitimation of the plaintiff association according to §§ 28a, 29 KSchG to assert violations of the GDPR has not been conclusively clarified.<br />
[75] Regarding the performance period (Clause 1):<br />
[76] The appellate court set the deadline for the omission of the use and the appeal to the clause 1 because of the necessary organizational measures for the EDP conversion with six months. Such a necessity is understandable in the present case, in which the inadmissible clause also affects the settlement of all ongoing partial payment contracts (see RS0041265 [T12]). The performance deadline set by the court of appeal is therefore not objectionable in the present individual case.<br />
[77] Regarding business practice 2:<br />
[78] The defendant's business practice of carrying out the credit check when lending is based on a scoring without giving the consumer the right to express his own point of view and contest his classification is objected to.<br />
[79] With this request for an injunction, the plaintiff did not object to the "internal scoring" practiced by the defendant, but to the decision based on the classification made by the external credit agency. The procedure violates Art 22 GDPR for reasons explained in detail.<br />
[80] The defendant objected that the plaintiff association was not granted any active legitimation regarding data protection information obligations. The alleged violation of Art 22 GDPR did not exist.<br />
[81] The first court dismissed the claim because the defendant's approach was in accordance with Section 7 VKrG and Article 22 GDPR.<br />
[82] The appellate court confirmed the dismissal of the action on the grounds that the plaintiff association lacks the active legitimation to assert data protection violations.<br />
[83] As a significant legal issue, the appeal claims that the appellate court disregarded the fact that the systematic violation of Art 22 GDPR occurred in connection with consumer credit relationships, so that the collective action according to § 28a KSchG was opened.<br />
[84] 1. In proceedings 6 Ob 77 / 20x, the Supreme Court submitted the following question to the European Court of Justice for a preliminary ruling (RS0133358):<br />
Are the regulations in Chapter VIII, in particular in Art. 80 Paragraphs 1 and 2 and Art. 84 Paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons during processing personal data, on the free movement of data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation, OJ L 119/1 of May 4, 2016, p. 1; hereinafter "GDPR") contrary to national regulations that - in addition to the powers of intervention of the supervisory authorities responsible for monitoring and enforcement of the regulation and the legal protection options of the data subjects - on the one hand, to grant competitors and, on the other hand, the authority to associations, institutions and chambers authorized under national law, regardless of the violation of specific rights of individual data subjects, because of violations of the GDPR and without the instruction of a person concerned against the infringer by way of an action before the civil courts under the Ges Prohibition of engaging in unfair business practices or violating consumer protection law or prohibiting the use of ineffective general terms and conditions?<br />
[85] 2.1. The plaintiff in the present proceedings is the same association authorized to take legal action under § 29 KSchG who intervenes on 6 Ob 77 / 20x - there based on § 28 KSchG. In the present proceedings, based on § 28a KSchG, he seeks the omission of a business practice used by the defendant in connection with consumer credit relationships, which violates the GDPR.<br />
[86] 2.2. The question of whether the plaintiff is legitimized to assert violations of the GDPR by way of a representative action according to § 29 KSchG is also relevant for the decision of the present legal dispute, because the question of whether the Union legislature with the legal protection instruments provided for in the GDPR is possibly a wanted to create a final regulation for the enforcement of data protection violations, also for lawsuits against business practices that are in connection with the legal relationships mentioned in § 28a KSchG, is essential for the decision.<br />
[87] For example, the Supreme Court referred its request for a preliminary ruling on 6 Ob 77 / 20x also to the representative action "from the point of view of a violation of a consumer protection law" - i.e. in accordance with § 28a KSchG - (cf. . 2020, I ZR 186/17 [Rz 47, 57 ff]).<br />
[88] 3. The Supreme Court of Justice has to assume a general effect of the preliminary ruling of the European Court of Justice and to apply this also for other than the immediate case. For reasons of process economy, the present procedure must therefore be interrupted (RS0110583).<br />
<br />
[89] C. Regarding the publication requests:<br />
[90] Because of the interruption of the proceedings with regard to the request for an injunction regarding business practice 2 (violation of the GDPR), the requests for publication made by both parties cannot be conclusively decided. A partial judgment is not appropriate here because further publication after the final judgment is available would entail additional costs that would not be incurred in the case of joint publication (Ciresa, Handbuch der Judgment Publication4 [2017] margin no. 4.28; RS0079937 [T1]).<br />
<br />
[91] D. Decision on costs:<br />
[92] The reservation of costs is based on Section 52 (4) ZPO.<br />
<br />
<br />
European Case Law Identifier<br />
ECLI: AT: OGH0002: 2021: 0060OB00048.21H.0806.000<br />
<br />
<br />
</pre></div>JShttps://gdprhub.eu/index.php?title=OGH_-_6Ob48/21h&diff=20313OGH - 6Ob48/21h2021-10-01T12:01:37Z<p>JS: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=OGH<br />
|Court_With_Country=OGH (Austria)<br />
<br />
|Case_Number_Name=6Ob48/21h<br />
|ECLI=ECLI:AT:OGH0002:2021:0060OB00048.21H.0806.000<br />
<br />
|Original_Source_Name_1=RIS<br />
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=4530863f-3472-44c4-9677-4f6b4edaecdb&Position=1&Abfrage=Justiz&Gericht=&Rechtssatznummer=&Rechtssatz=&Fundstelle=&AenderungenSeit=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=DSGVO&Dokumentnummer=JJT_20210806_OGH0002_0060OB00048_21H0000_000<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=06.08.2021<br />
|Date_Published=22.09.2021<br />
|Year=2021<br />
<br />
|GDPR_Article_1=Article 80 GDPR<br />
|GDPR_Article_Link_1=Article 80 GDPR<br />
<br />
<br />
|National_Law_Name_1=§ 28a KSchG<br />
|National_Law_Link_1=https://www.jusline.at/gesetz/kschg/paragraf/28a<br />
|National_Law_Name_2=§ 29 KSchG<br />
|National_Law_Link_2=https://www.jusline.at/gesetz/kschg/paragraf/29<br />
<br />
|Party_Name_1=Verein für Konsumenten Information (VKI)<br />
|Party_Link_1=https://verbraucherrecht.at/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Pending appeal<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
}}<br />
<br />
The Austrian Supreme Court decided to put a case on hold until the CJEU determined whether the GDPR precludes national legislation that grants consumer organisations the legitimacy to take legal action without a mandate and a violation of the rights of a particular individual.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The plaintiff (the Austrian association Verein für Konsumenten Information) sued the defendant (an online shopping platform operating throughout Austria) over several business practices, terms and conditions they found in violation with consumer protection law and the GDPR. More precisely, the association criticized several non-transparent contractual clauses on interests and creditworthiness checks as well as the defendant making decisions based on classifications by external credit scoring agencies in violation of [[Article 22 GDPR|Article 22 GDPR]].<br />
<br />
The defendant argued that the association had no right to take legal action under applicable data protection law. In this regard, the appealing court already decided that the association lacks the legitimacy to assert data protection violations.<br />
<br />
=== Holding ===<br />
The OGH decided that the previous court failed to take into account that the systematic infringement of [[Article 22 GDPR|Article 22 GDPR]] in connection with consumer credit ratings could in fact allow the association to take legal action under the GDPR. The court decided that the appeal is admissible because the legitimacy of the plaintiffs associations under §§ 28 and 29 of the Austrian Consumer Protection Act (Konsumentenschutzgesetz - KSchG) is not ultimately clarified. The court refers to a parallel case of the plaintiff currently pending at the CJEU as part of an preliminary ruling procedure.<br />
<br />
In this regard, the CJEU has to decide on whether the GDPR precludes national rules from granting associations the power to take legal action against unfair business practices or violations of consumer protection laws without a mandate and irrespective of the violation of specific rights of individual data subjects (see [[OGH - 6Ob77/20x|here]]). Until this decision is delivered by the CJEU the present procedure is put on hold.<br />
== Comment ==<br />
For further information on the corresponding preliminary reference see [[OGH - 6Ob77/20x|here]].<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
<br />
court<br />
Supreme Court<br />
<br />
<br />
Decision date<br />
08/06/2021<br />
<br />
<br />
Business number<br />
6Ob48 / 21h<br />
<br />
<br />
head<br />
The Supreme Court, as a court of appeal by the Senate President Hon.-Prof. Dr. Gitschthaler as chairman, the court councilors Univ.-Prof. Dr. Kodek and Dr. Nowotny, the court councilor Dr. Faber and Hofrat Mag. Pertmayr as further judges in the case of the plaintiff, Verein für Konsumenteninformation, 1060 Vienna, Linke Wienzeile 18, represented by Kosesnik-Wehrle & Langer Rechtsanwälte KG in Vienna, against the defendant U ***** GmbH , *****, represented by Pressl Endl Heinrich Bamberger Rechtsanwälte GmbH in Salzburg, for omission and publication of the judgment, on the appeals by both parties against the judgment of the Linz Higher Regional Court as the court of appeal of November 26, 2020, GZ 3 R 128 / 20v-15 , with which the judgment of the Salzburg Regional Court of August 14, 2020, GZ 4 Cg 67 / 19w-9, was partially amended, rightly recognized in a closed session and decided:<br />
<br />
<br />
Saying<br />
<br />
The appeal of the defendant, insofar as it is against the cease-and-desist clause 1.1. of the appeal judgment (Clause 1), not given.<br />
Insofar as it is directed against the omission requirement item 2 of the appeal judgment (business practice 1), the appeal of the defendant will be followed and the dismissing decision of the first court (there item 3.1. Of the judgment) will be restored.<br />
With regard to point 4 of the judgment of the appellate court, the proceedings will be interrupted until the decision of the European Court of Justice on the request for a preliminary ruling made by the Supreme Court on November 25, 2020 re 6 Ob 77 / 20x. Once the preliminary ruling has been received, the proceedings will be continued ex officio.<br />
The decision on the request of the plaintiff to authorize it to publish the plaintiff's verdict, as well as the request of the defendant to authorize it to publish the dismissing verdict, are reserved for the final decision.<br />
The decision on the costs of the appeal proceedings is reserved for the final decision.<br />
<br />
<br />
text<br />
Reasons for the decision:<br />
[1] The plaintiff is an association entitled to sue within the meaning of § 29 KSchG.<br />
[2] The defendant is a mail order company operating throughout Austria, which continuously concludes contracts with consumers. It bases its contracts on general terms and conditions, which include the following clauses:<br />
"9. Payment:<br />
What payment options do you have for your order?<br />
9.1. Purchase on invoice:<br />
In the case of purchase on account (payment by bank transfer), the invoice amount is due within 14 days of receipt of the goods.<br />
9.2. Partial payment:<br />
With us, you have the option of making partial payments if you have the appropriate creditworthiness and an order value of up to EUR 4,000.00. You can find more information, in particular about the amount and number of installments, at www.u *****. At / part-payment.<br />
In the case of an advance payment, the amount of the agreed installments is reduced and the total burden is lower. The balance remaining after the advance payment can be paid in partial amounts. For the 1st month after purchase, no installment costs are charged. From the 2nd month onwards, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account settlement, this results in an effective interest rate of 21.7% p.a. By sending you an account statement by post or email, we will inform you about your current account balance on a monthly basis. You are deemed to have approved the account balance if you do not object to it within two months of receipt.<br />
9.3. Credit card:<br />
You can pay with us online by credit card. Simply select credit card under payment method. We accept Mastercard, Visa, Diners Club and Discover (no prepaid credit cards). In addition to the credit card company, the card number and the period of validity, we need the check digit of your credit card. The check digit is a three-digit number on the back of your credit card that ensures payment security on the Internet.<br />
9.4. Advance payment:<br />
We reserve the right to make the delivery of the goods dependent on an advance payment.<br />
9.5. PayPal:<br />
[...] "<br />
[3] Via the link “www.u *****. At / part-payment” you get to an installment calculator. There, the customer can enter the term of the installment payments within a specified range. The maximum term is 48 months, the minimum monthly rate is EUR 10. When you enter the item price and the desired term, the system calculates the installment surcharge, the monthly minimum installment, the amount of the last installment, the final installment price and indicates the effective annual interest rate.<br />
[4] The information on the credit check can be found in the data protection information of the defendant (www.u *****. At / datenschutz), which has the following content in excerpts:<br />
"3.2.2.2. Credit checks:<br />
If you have selected a so-called insecure payment method (purchase on account or installment purchase) when placing an order, the following applies:<br />
U ***** and other mail order companies of the O ***** - Group basically give their customers the opportunity to purchase goods using unsafe payment methods (e.g. purchase on account, purchase on finance).<br />
[...]<br />
Companies that generally allow their customers to use unsafe payment methods have a legitimate interest in protecting themselves as well as possible from the occurrence of payment defaults. This is done, among other things, by checking the creditworthiness of the customer before granting the option of using insecure payment methods. As part of this check, we are entitled to ask U ***** GmbH whether they have received negative credit information about the respective customers from the other mail-order companies of the O ***** Group. Furthermore, we are entitled to transmit negative creditworthiness information on the respective customers to U ***** GmbH, which in turn can provide information to the above-mentioned other mail-order companies of the O ***** Group before these other mail-order companies give the customer the option of using unsafe payment methods.<br />
The creditworthiness information is information about outstanding payment claims and information from which there is a direct risk of payment default (e.g. insolvency, debt counseling, deferral due to insolvency). Before we transmit negative information about outstanding payment claims to U ***** GmbH, the customers concerned are informed of the possibility of transmission on a reminder. We are also entitled to transmit information about extremely atypical order processes (e.g. simultaneous ordering of a large number of goods to the same address using different customer accounts) to U ***** GmbH and to request such information from U ***** GmbH. This is to avoid payment defaults and to protect our customers from misuse of their accounts or their identity.<br />
In cases in which a customer wants to order with an insecure method of payment, we are entitled to use information received as part of the order to calculate a probability of default (internal scoring). The calculation of the failure probability by means of the internal scoring is based on a recognized mathematical statistical procedure. The data used as part of the internal scoring result in particular from a combination of the following data categories (not exhaustive): address data, age, desired payment conditions, order method and product range groups. As part of the internal scoring, only data that the customer has given us is used. On the basis of the named data categories, conclusions can be drawn about the probability of default on payment due to the mathematical statistical procedure used. For example, a certain place of residence of the person placing the order, combined with a certain category of goods, can lead to an increased probability of default and thus a restriction on the payment method. There is no payment type restriction based solely on the place of residence of the person placing the order. In addition, it has been statistically proven, for example, that there is a lower risk of payment default when using a chargeable e-mail provider than is the case when using a free provider. As part of the examination of whether an unsafe method of payment (installment / purchase on account) can be granted, we are also entitled to obtain credit information about you from an external credit agency. We work with the following credit agency C ***** GmbH, *****.<br />
For the purpose of calling up creditworthiness information, the following data is transmitted to the external credit agency: first name, last name, postal address, date of birth and, in the event of default in payment, the outstanding balance. The data mentioned can also be transmitted to C ***** GmbH, ***** for the purpose of personal and address validation and for fraud prevention (see also the following point).<br />
As part of the credit check, we can use an automated process to decide whether you will be given the desired unsecure payment method (installment / purchase on account). For example, when a negative credit report is sent by a credit agency or when an insufficient score is calculated as part of the internal scoring, the desired payment method can be automatically rejected. You can assert the right to us to manually review the automated decision. In addition, you have the right to express your own point of view and the right to contest the decision.<br />
The processing of your data as part of the credit check is based on Article 6 Paragraph 1b GDPR and Article 6 Paragraph 1f GDPR. We basically have a legitimate interest in carrying out a credit check when you select an unsafe payment method (installment / purchase on account). "<br />
[5] Under the heading “Data protection notice” and the text “Information on payment method restrictions: You would like to know why you cannot use all payment methods with us? We will be happy to provide you with information here. ", The customer arrives at a link with the title" Request information ".<br />
[6] Over 90% of the orders placed with the defendant are made online, the remaining 10% by telephone. The average order value is EUR 650.<br />
[7] In the case of an online order, the payment method "purchase on account" is preset. If a customer wants partial payment, he has to change the payment option himself.<br />
[8] In the case of an initial order, the defendant limits the order value to EUR 500 in the case of an installment purchase or purchase on account; this limit is gradually increased for subsequent orders if there have been no defaults in payment.<br />
[9] In the case of a new customer who orders on open account or partial payment, an inquiry is automatically made to the credit agency with the data provided by the customer. If the customer is unknown there, the defendant rejects a business relationship with partial payment or on account and notifies the customer that he would be supplied via credit card or PayPal. If the customer is known, there are three ways of scoring with three different colors. If the color is red, the unsecure payment method is also rejected, if it is yellow, an employee of the defendant checks, and if it is green, the order is accepted. In the case of a yellow scoring, the employee himself inspects the database and decides whether and, if so, under what conditions the order will be released.<br />
[10] If a customer makes use of the option of requesting information, further information is obtained, for example the request for proof of income.<br />
[11] The plaintiff association desires - insofar as it is still the subject of the appeal proceedings - to oblige the defendant to refrain from using the following clauses in general terms and conditions or contract forms in business dealings with consumers:<br />
(Clause 1 = point 1.1. Of the judgment of the court of appeal): "From the second month onwards, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account offsetting, this results in an effective interest rate of 21.7% p.a. "<br />
[12] Furthermore, he seeks to oblige the defendant in accordance with § 28a KSchG to refrain from doing business with consumers in connection with consumer credit relationships,<br />
(Business practice 1 = point 2. of the judgment of the court of appeal): "To agree on partial payment purchases and / or partial payment options with a total credit of at least EUR 200 to pay consumers for goods purchased without checking the creditworthiness of the consumer on the basis of sufficient information, in particular without To obtain information on the income situation and / or financial situation of these consumers; ”as well as<br />
(Business practice 2 = point 4 of the judgment of the appellate court): "to carry out the credit check when lending on the basis of a scoring, without granting the consumer the right to express his own point of view and to contest his classification."<br />
[13] Furthermore, the plaintiff association applied for authorization to publish the judgment.<br />
[14] The defendant requested that the action be dismissed as well as authorization to publish the judgment dismissing the complaint, and, in the event that the action was upheld, the setting of a performance period of at least six months.<br />
[15] The first court granted the cease and desist and publication requests with regard to clauses 1 and 2 without setting a performance deadline and dismissed the further claim and the counter-publication request of the defendant.<br />
[16] The appeals court partially followed the appeals of both parties. It confirmed the admission of the action with regard to clauses 1 and 2, whereby it set a six-month performance period, and changed the judgment of the first court with regard to business practice 1 in the plaintiff's sense, also with a six-month performance period.<br />
[17] It allowed the appeal because it was partly about clauses or business practices that had not yet been assessed by the Supreme Court and that were important for a larger number of consumers.<br />
[18] In their opposing revisions, the parties in dispute request the amendment of the decision of the appellate court in the sense of a complete lodging of the complaint or a dismissal of the complaint, whereby the defendant does not contest the approval of the complaint with regard to the omission of clause 2 (point 1.2. Of the appeal judgment). In the alternative, the defendant files an application for annulment.<br />
[19] The plaintiff requests that the defendant's appeal be dismissed or, in the alternative, that it should not be followed. The defendant requests that the plaintiff's appeal be disregarded.<br />
[20] The revisions of both parties are permissible. The defendant's revision is partly justified.<br />
[21] The submissions of the parties as well as the reasons for the decision of the lower courts are presented when dealing with the disputed clause and the disputed business practices.<br />
<br />
<br />
Legal assessment<br />
[22] A. On the defendant's appeal:<br />
[23] The defendant's revision is permissible because the requirements for the credit check in accordance with Section 7 (1) VKrG require clarification. It is partially justified.<br />
[24] Regarding clause 1: "From the second month, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account offsetting, this results in an effective interest rate of 21.7% p.a. "<br />
[25] The plaintiff complains that the clause is not transparent because it is not pointed out that the defendant derives the right to charge compound interest during the year from the monthly capitalization. The clause is also grossly disadvantageous within the meaning of Section 879 Paragraph 3 ABGB, because the accounting period is shortened to one month in deviation from Section 355 Paragraph 2 UGB. The amount of the effective interest rate is grossly disadvantageous and violates § 934 ABGB. In addition, it is not evident that the effective interest rate results from the compound interest effect.<br />
[26] The defendant denies the claims. There was no lack of transparency because the effective annual interest rate was stated and it was clearly recognizable that the difference to the annual interest rate could only result from the compound interest effect (and not from the inclusion of processing fees or the like).<br />
[27] The lower courts forbade the clause because it violated the transparency requirement of Section 6 (3) KSchG. The creditor of a monetary claim can only demand compound interest according to Section 1000 (2) sentence 1 ABGB if the parties have expressly agreed to this. According to the case law, the agreement of the capitalization of interest during the year is not transparent if the user of the terms and conditions does not point out the resulting compound interest effect. The lack of transparency is also not eliminated by listing the monthly interest rate, the annual interest rate and the effective annual interest rate or by using the rate calculator, because the annual interest rate can also result from other cost factors such as commissions, costs of contract establishment, processing fees, etc., so that the average consumer can choose the difference between the annual interest rate and the effective annual interest rate does not have to infer the agreement of compound interest.<br />
[28] The revision is not justified.<br />
[29] 1.1. According to Section 1000 (2) sentence 1 ABGB, compound interest is due - as the appellate court has already correctly pointed out - only in the case of an "express" agreement between the parties. It is necessary that the compound interest is conditional, for which sufficiently clear conclusive explanations are sufficient (Perner in Schwimann / Kodek, ABGB4 § 1000 Rz 17 and Fn 50; Ertl in Fenyves / Kerschner / Vonkilch, Klang³ § 1000 ABGB Rz 15; Dullinger in Artmann , UGB³ § 355 margin no. 3). The agreement of compound interest in the General Terms and Conditions of the defendant must also meet the requirements of Section 6 (3) KSchG.<br />
[30] 1.2. According to the established case law of the Supreme Court, the reference to an account closing during the year or the reference to the fact that interest is "calculated, capitalized and charged" during the year is not sufficient to make the consumer realize that compound interest should also be charged. Such clauses were therefore regularly judged to be non-transparent within the meaning of Section 6 (3) KSchG (1 Ob 124 / 18v [Clause 17]; 9 Ob 11 / 18k [Clause 6]; 8 Ob 128 / 17g [Clauses 7 and 8]; 10 Ob 31 / 16f [Clause c]; 4 Ob 179 / 02f [Clause Z 38 Paragraph 1]; see RS0117273).<br />
[31] 1.3. The present clause does not expressly provide for an account closing during the year, but rather the "current account settlement" of the partial payment costs, which are specified as 1.65% per month (19.8% p.a.) of the outstanding balance; The effective interest rate of 21.7% p.a. resulting from "current account settlement" is also given.<br />
[32] 2.1. The current account agreement is regulated in Section 355 of the UGB. Section 355 (1) of the Austrian Commercial Code defines the current account agreement as an agreement with an entrepreneur with whom someone has a business relationship, that the mutual claims and services arising from the connection, plus interest, are invoiced and at regular intervals by offsetting and determining the amount for one or the other the other part of the resulting surplus will be compensated. According to Section 355, Paragraph 4, Clause 4 of the Austrian Commercial Code, anyone who is entitled to a surplus when closing the accounts can demand compound interest.<br />
[33] 2.2. If one or more features of the current account defined by law in Section 355 (1) UGB are missing, such as the entrepreneurial status of a part or the permanent business relationship, one speaks of an improper current account agreement to which the current account law can apply analogously (1 Ob 83 / 01i). For example, the analogous application of § 355 UGB was affirmed for the case of an agreement between non-entrepreneurs (1 Ob 83 / 01i; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 4).<br />
[34] 2.3. On the basis of the regulation of § 1000 Paragraph 2 Sentence 1 ABGB, it is assumed when an improper current account relationship is agreed that compound interest is only due if expressly agreed (within the meaning of § 1000 Paragraph 2 Sentence 1 ABGB) (cf. 1 Ob 83 / 01i; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 4; aM Dullinger in Artmann, UGB³ § 355 Rz 3).<br />
[35] 2.4. The current account must be based on a business relationship established for a certain period of time, which means that the repeated conclusion of transactions can be expected (Dullinger in Artmann, UGB³ § 355 Rz 4; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 5) . Whether a single purchase in installments can already meet this requirement (critical for assessing an installment credit as a current account relationship Dullinger in Artmann, UGB³ § 355 Rz 4) or whether the (qualified) business relationship required by § 355 (1) UGB is missing when concluding a single purchase in installments, so that there is at most an "improper" current account relationship does not have to be conclusively assessed in the present case:<br />
[36] 3.1. Because even under the assumption that the agreement of a "current account settlement" in the case of a hire purchase would already be directly subject to § 355 UGB, this would not change the fact that the clause to be assessed here is not clear and understandable for the consumer regarding the accrual of compound interest within the meaning of § 6 Paragraph 3 of the KSchG. For the economically inexperienced average customer of a mail order company, neither the use of the term "current account" nor the indication of the different interest rates results in the fact that a periodic determination of the outstanding invoice amount including capitalization of the "partial payment costs" and their (renewed) Interest takes place. This does not result from the difference between the annual interest rate and the effective annual interest rate disclosed in the clause. The appellate court has already correctly stated that such a difference can also have reasons other than the offsetting of compound interest (Section 510 (3) ZPO). In addition, the duration of the billing period of one month can only be deduced from the specification of a monthly interest rate for the installment costs. The fact that with the regulation of the "current account settlement" in truth only the monthly settlement of compound interest is to be effected is therefore not generally recognizable for the average consumer. Insofar as the revision argues that the effective annual interest rate can only exceed the stated annual interest rate because of the compound interest effect, because no other costs would flow into it, this circumstance is not immediately apparent to the consumer from the disputed clause.<br />
[37] 3.2. If it is further argued in the revision that the financial burden is easily recognizable for the consumer through the indication of the effective annual interest rate and through the instrument of the rate calculator, nothing can be gained from this for the defendant. If the effective agreement of compound interest is missing - due to a violation of the transparency requirement of § 6 Abs 3 KSchG - the defendant is not entitled to the specified effective interest rate and the total amount determined by the installment calculator.<br />
[38] The defendant's appeal against the prohibition of Clause 1 is therefore not justified.<br />
<br />
[39] Regarding business practice 1: The defendant's business practice of agreeing partial payment purchases and / or partial payment options with a total credit of at least EUR 200 to pay for the goods purchased by consumers from her is objected to, without the creditworthiness of the consumer based on sufficient To check information, in particular without obtaining information on the income situation and / or financial situation of these consumers.<br />
[40] The plaintiff sees a systematic violation of the obligation to carry out a credit check according to § 7 VKrG in the fact that the defendant does not collect any information about the consumer's income and other liabilities in the case of installment transactions. In response to the plaintiff's letter of warning, the defendant justified its high interest rate with the fact that no collateral had to be provided for the loans it had granted and no evidence of employment or regular cash inflow had to be provided. The database query and the analysis of previous purchasing behavior did not allow any conclusions to be drawn about income and no prognostic decision as to whether the consumer would be able to meet his payment obligations in full. The database query can be used to obtain information about the consumer's income and assets, but it cannot replace it.<br />
[41] The defendant counters this by saying that obtaining information from a database, specifically by making an inquiry to the specified credit bureau, fulfills the requirements of Section 7 of the VKrG. In any case, the entrepreneur does not have to approach the consumer. The scope of the investigation obligations depends on the individual case and is lower in the case of small goods loans than in the case of typical bank loans. The defendant allows partial payments for purchase prices between EUR 50 and EUR 4,000 with a term of no more than four years; the majority of the consumer loans granted are around the average amount of EUR 650.<br />
[42] The first court dismissed the request for an injunction aimed at the omission of business practice 1.<br />
[43] The appeals court granted the injunction. Legally, it discussed that the lender had to carry out the credit check on the basis of sufficient information. In order to assess the creditworthiness, the current income and liquid funds of the consumer should first be used and compared with the costs of the loan and the current repayment; a database query should only be carried out if this was additionally necessary.<br />
[44] In its appeal, the defendant asserts that there is no provision for prioritizing the procurement of information and that the credit check can be designed flexibly. Consumers' income and financial situation always show certain fluctuations and uncertainties, which have an impact especially in the case of low monthly payments, so that the information to be obtained from the consumer must be higher, the lower the loan amount. In such cases, however, obtaining detailed information is unusual and does not provide a more reliable statement about creditworthiness than the credit information obtained and the observation of ongoing consumer behavior. Obtaining information is therefore sufficient for small goods loans.<br />
[45] The appeal is justified.<br />
[46] 1.1. Anyone who violates a legal requirement or prohibition in business dealings with consumers in connection with consumer credit relationships and thereby affects the general interests of consumers can be sued for an injunction without prejudice to Section 28 (1) KSchG (Section 28a (1) KSchG).<br />
[47] 1.2. Section 28a KSchG extends the scope of representative actions to include illegal business practices by entrepreneurs in business dealings with consumers, limited to the contractual relationships and non-contractual legal relationships specified in Section 28a (1) KSchG (10 Ob 13 / 17k; 7 Ob 168 / 17g; Kathrein / Schoditsch in KBB6 § 28a KSchG margin no.1). The behavior complained of must also be of importance for a large number of contracts or non-contractual legal relationships, which is especially the case for illegal behavior in mass business (RS0121961). This is to effectively prevent any behavior found to be inadmissible under the law that has developed into a practice of the respective entrepreneur (6 Ob 228 / 16x).<br />
[48] 1.3. The right to cease and desist - including that according to § 28a KSchG (cf. 10 Ob 13 / 17k; 4 Ob 179 / 18d [Business Practice 2], etc.) - is substantiated by two elements: an obligation to cease and desist and the risk that this obligation to cease and desist is violated. If one of these elements is missing, there is no right to cease and desist (RS0037660).<br />
[49] 2.1. The subject of the claim for action and the verdict is always only the specific infringing act (RS0037478 [T2, T5]). However, it is permissible to describe the inadmissible behavior in a generalized way and to clarify it by means of "especially" listed individual bans. Even with such a more general version of the injunction, the verdict must cover the core of the infringing act (4 Ob 206 / 19a; 9 Ob 57 / 20b).<br />
[50] The claim is to be understood as it is meant by the plaintiff in conjunction with the claimant's account (RS0037440).<br />
[51] 2.2. The core of the business practice 1 complained of by the plaintiff consists in giving consumers the option of partial payment without obtaining information on income “and / or” assets for the purpose of checking creditworthiness. After the request for a judgment and the submission of the action in its entirety, the plaintiff association seeks a ban that is not restricted to specific groups of cases or the existence of specific circumstances; Rather, he takes the position that the information mentioned must always be obtained for the partial payment transactions offered by the defendant.<br />
[52] The defendant did not claim that it obtained information on the income situation or the assets of its prospective buyers before granting a partial payment option. Only when a consumer requests information about the reasons why he cannot use all payment methods from the defendant (i.e. after rejecting an “unsafe” payment method requested by the consumer) does the defendant request proof of income, for example.<br />
[53] 2.3. It must therefore be examined whether the defendant, by systematically granting consumers the option to pay in installments without obtaining information about their income and / or assets, violates a legal prohibition, specifically § 7 VKrG. The decisive factor is whether the obligation can be derived from Section 7 VKrG to always provide information about the income and / or the assets of the defendant in the case of partial payment transactions, as offered by the defendant, from a credited purchase price of EUR 200 (see Section 4 (1) VKrG) To catch up with prospective buyers.<br />
[54] It should be made clear in this context that the injunction does not simply cover the execution of the credit check without obtaining information about the income and / or assets of the prospective buyers, but only the procedure of granting consumers partial payment options without having obtained such information. The practice of refusing to allow partial payment without obtaining information about the income and / or asset situation is therefore not objected to.<br />
[55] 3.1. According to § 7 VKrG applicable to hire purchase contracts in accordance with § 25 Paragraph 1 VKrG (see Foglar-Deinhardstein in Fenyves / Kerschner / Vonkilch, Klang³ § 25 VKrG margin no. 69), the lender must check the creditworthiness of the consumer using sufficient information before concluding the credit agreement, which he - if necessary - demands from the consumer; if necessary, he must also obtain information from an available database (Section 7 (1) VKrG). If this check reveals considerable doubts about the ability of the consumer to fully fulfill his obligations under the credit agreement, the lender must inform the consumer of these concerns about his creditworthiness (Section 7 (2) VKrG).<br />
[56] With this, the obligation of the lender to assess the creditworthiness of the consumer in accordance with Article 8 Paragraph 1 of the Consumer Credit Directive (Directive 2008/48 / EC on consumer credit agreements) was implemented in Austrian law. According to Article 8 (1) of the Consumer Credit Directive, the member states ensure that, before concluding the credit agreement, the lender assesses the creditworthiness of the consumer on the basis of sufficient information that he may obtain from the consumer and, if necessary, on the basis of information from the database in question. Those Member States that legally oblige lenders to assess creditworthiness on the basis of a query in a corresponding database can retain this requirement.<br />
[57] 3.2. The obligation of the lender to assess the creditworthiness of the consumer in accordance with Article 8 Paragraph 1 of the Consumer Credit Directive is intended to protect consumers from irresponsible granting of credit that exceeds their financial capabilities and can lead to their insolvency (ECJ April 27, 2014, C- 565/12, LCL Le Crédit Lyonnais SA, ECLI: EU: C: 2014: 190, margin no. 42 f). In addition, the credit check prescribed by Union law is intended to serve the general interest in a functioning credit industry in the internal market (Recital 6, 7 Consumer Credit Directive; Pesek in Klang³ § 7 VKrG margin no. 1).<br />
[58] 3.3. According to Section 7 (1) VKrG and Article 8 (1) Consumer Credit Directive, the lender must determine the facts that are relevant for assessing creditworthiness (Pesek in Klang³, Section 7, margin no.27). As a means of information, in Section 7 (1) VKrG as well as in Art 8 Consumer Credit Directive, the gathering of information from the consumer and the gathering of information from an available database are mentioned.<br />
[59] The creditworthiness is not to be understood as the creditworthiness in the banking sense. Rather, it is about the assessment of whether the consumer will probably be able to meet his payment obligations from the loan agreement in full, without being pushed to the edge of his economic existence (ExplanationRV 650 BlgNR 24. GP 17; Pesek in Klang³ § 7 VKrG Rz 6 f; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law [2010] § 7 VKrG Rz 6 f; see Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 4 ff ).<br />
[60] 4.1. What content the information must have in order to be regarded as sufficient within the meaning of Section 7 (1) VKrG is not described in more detail by law.<br />
[61] 4.2. In the literature it is consistently stated that the regular (net) income of the consumer and his other liquid assets must be taken into account in the credit check (Pesek in Klang³ § 7 VKrG margin no.10; Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG margin no 9; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG margin no. 9; Dehn in Apathy / Iro / Koziol, Austrian bank contract law IV² [2012] margin no. 2/54). However, the inclusion of non-liquid assets in the creditworthiness check is disputed (for: Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 9; Pesek in Klang³ § 7 VKrG Rz 12; on the other hand: Wendehorst, What is creditworthiness? In Blaschek / Habersberger , Worthy of a loan? 29 f; Foglar-Deinhardstein, The credit check for consumer credit [2013] margin nos. 237 ff; Weissel, consumer credit: Inquiry obligations of the bank, RdW 2014, 176, 179; ders, The protection provided by § 7 VKrG under civil law: legal beneficence oder Irrweg, ZFR 2012, 208, 210; differentiating [between smaller consumer loans and loans for the creation of housing, which were also covered by § 7 VKrG up to the entry into force of the HIKrG on March 21, 2016] Zöchling-Jud in Wendehorst / Zöchling-Jud , Consumer credit law [2010] § 7 VKrG margin no. 10; Dehn in Apathy / Iro / Koziol, Austrian bank contract law IV² margin no. 2/55). The consumer's income and cash and cash equivalents as well as - depending on the legal opinion represented - other assets are to be compared with the regular burdens of the consumer (Pesek in Klang³ § 7 VKrG Rz 17; Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 10, 12; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG margin no.12).<br />
[62] 4.3. It is agreed that the extent of the lender's duty to investigate depends on the circumstances of the individual case, with regard to the amount of the loan value disbursed, the duration of the loan, the informative value and credibility of the information provided by the consumer as well as the existence or duration and intensity the business relationship between the lender and the consumer is important (Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 14; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG Rz 14; 8 Ob 76 / 16h).<br />
[63] 4.4. In this sense, Leupold / Ramharter argue for small (commodity) loans that the lender's exploration obligations are limited; In this context, they refer to information from databases and reject any further credit check that is incompatible with the goal of efficient markets (Leupold / Ramharter, The violation of the duty to warn of poor creditworthiness under the Consumer Credit Act, ÖBA 2011, 469, 486).<br />
[64] 4.5. The content of the "sufficient" information according to Section 7 (1) VKrG must also be specified depending on the circumstances of the individual case. Only in this way, with the help of the statutory general clause, can the legal obligations for the wide range of consumer loans covered by Section 7 (1) VKrG - which includes financial aid within the meaning of Section 25 (1) VKrG, up to large bank loans - be made possible.<br />
[65] 4.6. This interpretation is in line with the case law of the ECJ on Article 8 (1) of the Consumer Credit Directive.<br />
[66] In the case of CA Consumer Finance SA, the ECJ made it clear that the directive does not conclusively specify the information on the basis of which the lender has to assess the creditworthiness of the consumer, nor does it specify in more detail whether and how this information is to be checked . Rather, the lender has a margin of discretion when it comes to whether the information he has is sufficient to certify the creditworthiness of the loan applicant and whether he has to check this against other criteria. The lender must therefore assess in each case, taking into account the circumstances of the individual case, whether the information available to him by the loan applicant is relevant and sufficient. Whether the information is sufficient can vary depending on the circumstances of the conclusion of the credit agreement, the personal situation of the consumer or the credit volume provided for in the contract (ECJ December 18, 2014, C-449/13, CA Consumer Finance SA, ECLI: EU : C: 2014: 2464, margin no.36 f).<br />
[67] 4.7. The lender is therefore not required to obtain information on the income or financial situation of the consumer or on both aspects in addition to obtaining information from an external credit bureau in the case of small goods loans.<br />
[68] 5.1. According to the findings, the defendant obtains information from an external credit agency before granting partial payment options to new customers and limits the loan amount to EUR 500; for existing customers, it uses any negative credit information available in the group of companies. In addition, she uses the amount of the loan for her decision-making; In addition, there are other factors that are not related to the creditworthiness within the meaning of Section 7 (1) VKrG, such as the residential address.<br />
[69] 5.2. Particularly in the case of the small loans of goods from a loan amount of EUR 200 or more that are covered by the injunction, the consideration of existing negative creditworthiness information, as can be derived from the information available in the group of companies as well as from the information provided by the credit bureau, does not appear to be entirely unsuitable for credit checks. This is also not claimed by the plaintiff association. Especially in the case of very low loan amounts (from EUR 200) it is not evident that additional knowledge of the net income (at least, unless it is associated with a detailed survey of all, even minor financial burdens) necessarily enables a more reliable assessment than the query whether due to existing “negative creditworthiness information”, the collectability of even very small loan amounts must be called into question from the outset. The same considerations apply to the need to identify the consumer's realizable assets.<br />
[70] 5.3. Whether the business practice objected to by the plaintiff association, when granting partial payment options in addition to obtaining information from an external credit agency, not to obtain information about the income and / or asset situation of consumers, violates § 7 VKrG, cannot be answered in general, but depends on the circumstances of the case.<br />
[71] It cannot be ruled out that the partial payment options granted by the defendant exist in which it is necessary to obtain information about the income situation or the financial situation of the consumer or about both. However, the request for an injunction does not focus on more specific cases, but aims to forbid the defendant, in all cases, from agreeing on partial payment purchases or partial payment options with consumers with a total credit of at least EUR 200, without information on the income situation and / or their financial position to catch up.<br />
[72] However, this request is not justified because of the discretion granted to the lender in the credit check. The revision is therefore justified insofar as it is directed against the prohibition of the objected business practice 1. The judgment of the first court had to be restored to this extent.<br />
<br />
[73] B. On the plaintiff's appeal:<br />
[74] The appeal by the plaintiff is permissible because the active legitimation of the plaintiff association according to §§ 28a, 29 KSchG to assert violations of the GDPR has not been conclusively clarified.<br />
[75] Regarding the performance period (Clause 1):<br />
[76] The appellate court set the deadline for the omission of the use and the appeal to the clause 1 because of the necessary organizational measures for the EDP conversion with six months. Such a necessity is understandable in the present case, in which the inadmissible clause also affects the settlement of all ongoing partial payment contracts (see RS0041265 [T12]). The performance deadline set by the court of appeal is therefore not objectionable in the present individual case.<br />
[77] Regarding business practice 2:<br />
[78] The defendant's business practice of carrying out the credit check when lending is based on a scoring without giving the consumer the right to express his own point of view and contest his classification is objected to.<br />
[79] With this request for an injunction, the plaintiff did not object to the "internal scoring" practiced by the defendant, but to the decision based on the classification made by the external credit agency. The procedure violates Art 22 GDPR for reasons explained in detail.<br />
[80] The defendant objected that the plaintiff association was not granted any active legitimation regarding data protection information obligations. The alleged violation of Art 22 GDPR did not exist.<br />
[81] The first court dismissed the claim because the defendant's approach was in accordance with Section 7 VKrG and Article 22 GDPR.<br />
[82] The appellate court confirmed the dismissal of the action on the grounds that the plaintiff association lacks the active legitimation to assert data protection violations.<br />
[83] As a significant legal issue, the appeal claims that the appellate court disregarded the fact that the systematic violation of Art 22 GDPR occurred in connection with consumer credit relationships, so that the collective action according to § 28a KSchG was opened.<br />
[84] 1. In proceedings 6 Ob 77 / 20x, the Supreme Court submitted the following question to the European Court of Justice for a preliminary ruling (RS0133358):<br />
Are the regulations in Chapter VIII, in particular in Art. 80 Paragraphs 1 and 2 and Art. 84 Paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons during processing personal data, on the free movement of data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation, OJ L 119/1 of May 4, 2016, p. 1; hereinafter "GDPR") contrary to national regulations that - in addition to the powers of intervention of the supervisory authorities responsible for monitoring and enforcement of the regulation and the legal protection options of the data subjects - on the one hand, to grant competitors and, on the other hand, the authority to associations, institutions and chambers authorized under national law, regardless of the violation of specific rights of individual data subjects, because of violations of the GDPR and without the instruction of a person concerned against the infringer by way of an action before the civil courts under the Ges Prohibition of engaging in unfair business practices or violating consumer protection law or prohibiting the use of ineffective general terms and conditions?<br />
[85] 2.1. The plaintiff in the present proceedings is the same association authorized to take legal action under § 29 KSchG who intervenes on 6 Ob 77 / 20x - there based on § 28 KSchG. In the present proceedings, based on § 28a KSchG, he seeks the omission of a business practice used by the defendant in connection with consumer credit relationships, which violates the GDPR.<br />
[86] 2.2. The question of whether the plaintiff is legitimized to assert violations of the GDPR by way of a representative action according to § 29 KSchG is also relevant for the decision of the present legal dispute, because the question of whether the Union legislature with the legal protection instruments provided for in the GDPR is possibly a wanted to create a final regulation for the enforcement of data protection violations, also for lawsuits against business practices that are in connection with the legal relationships mentioned in § 28a KSchG, is essential for the decision.<br />
[87] For example, the Supreme Court referred its request for a preliminary ruling on 6 Ob 77 / 20x also to the representative action "from the point of view of a violation of a consumer protection law" - i.e. in accordance with § 28a KSchG - (cf. . 2020, I ZR 186/17 [Rz 47, 57 ff]).<br />
[88] 3. The Supreme Court of Justice has to assume a general effect of the preliminary ruling of the European Court of Justice and to apply this also for other than the immediate case. For reasons of process economy, the present procedure must therefore be interrupted (RS0110583).<br />
<br />
[89] C. Regarding the publication requests:<br />
[90] Because of the interruption of the proceedings with regard to the request for an injunction regarding business practice 2 (violation of the GDPR), the requests for publication made by both parties cannot be conclusively decided. A partial judgment is not appropriate here because further publication after the final judgment is available would entail additional costs that would not be incurred in the case of joint publication (Ciresa, Handbuch der Judgment Publication4 [2017] margin no. 4.28; RS0079937 [T1]).<br />
<br />
[91] D. Decision on costs:<br />
[92] The reservation of costs is based on Section 52 (4) ZPO.<br />
<br />
<br />
European Case Law Identifier<br />
ECLI: AT: OGH0002: 2021: 0060OB00048.21H.0806.000<br />
<br />
<br />
</pre></div>JShttps://gdprhub.eu/index.php?title=OGH_-_6Ob48/21h&diff=20312OGH - 6Ob48/21h2021-10-01T12:01:00Z<p>JS: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=OGH<br />
|Court_With_Country=OGH (Austria)<br />
<br />
|Case_Number_Name=6Ob48/21h<br />
|ECLI=ECLI:AT:OGH0002:2021:0060OB00048.21H.0806.000<br />
<br />
|Original_Source_Name_1=RIS<br />
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=4530863f-3472-44c4-9677-4f6b4edaecdb&Position=1&Abfrage=Justiz&Gericht=&Rechtssatznummer=&Rechtssatz=&Fundstelle=&AenderungenSeit=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=DSGVO&Dokumentnummer=JJT_20210806_OGH0002_0060OB00048_21H0000_000<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=06.08.2021<br />
|Date_Published=22.09.2021<br />
|Year=2021<br />
<br />
|GDPR_Article_1=Article 80 GDPR<br />
|GDPR_Article_Link_1=Article 80 GDPR<br />
<br />
<br />
|National_Law_Name_1=§ 28a KSchG<br />
|National_Law_Link_1=https://www.jusline.at/gesetz/kschg/paragraf/28a<br />
|National_Law_Name_2=§ 29 KSchG<br />
|National_Law_Link_2=https://www.jusline.at/gesetz/kschg/paragraf/29<br />
<br />
|Party_Name_1=Verein für Konsumenten Information (VKI)<br />
|Party_Link_1=https://verbraucherrecht.at/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Pending appeal<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Riealeksandra Aleksandra Walle]<br />
}}<br />
<br />
The Austrian Supreme Court decided to put a case on hold until the CJEU determined whether the GDPR precludes national legislation that grants consumer organisations the legitimacy to take legal action without a mandate and a violation of the rights of a particular individual.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The plaintiff (the Austrian association Verein für Konsumenten Information) sued the defendant (an online shopping platform operating throughout Austria) over several business practices, terms and conditions they found in violation with consumer protection law and the GDPR. More precisely, the association criticized several non-transparent contractual clauses on interests and creditworthiness checks as well as the defendant making decisions based on classifications by external credit scoring agencies in violation of [[Article 22 GDPR|Article 22 GDPR]].<br />
<br />
The defendant argued that the association had no right to take legal action under applicable data protection law. In this regard, the appealing court already decided that the association lacks the legitimacy to assert data protection violations.<br />
<br />
=== Holding ===<br />
The OGH decided that the previous court failed to take into account that the systematic infringement of [[Article 22 GDPR|Article 22 GDPR]] in connection with consumer credit ratings could in fact allow the association to take legal action under the GDPR. The court decided that the appeal is admissible because the legitimacy of the plaintiffs associations under §§ 28 and 29 of the Austrian Consumer Protection Act (Konsumentenschutzgesetz - KSchG) is not ultimately clarified. The court refers to a parallel case of the plaintiff currently pending at the CJEU as part of an preliminary ruling procedure.<br />
<br />
In this regard, the CJEU has to decide on whether the GDPR precludes national rules from granting associations the power to take legal action against unfair business practices or violations of consumer protection laws without a mandate and irrespective of the violation of specific rights of individual data subjects (see [[OGH - 6Ob77/20x|here]]). Until this decision is delivered by the CJEU the present procedure is put on hold.<br />
== Comment ==<br />
For further information on the corresponding preliminary reference see [[OGH - 6Ob77/20x|here]].<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
<br />
court<br />
Supreme Court<br />
<br />
<br />
Decision date<br />
08/06/2021<br />
<br />
<br />
Business number<br />
6Ob48 / 21h<br />
<br />
<br />
head<br />
The Supreme Court, as a court of appeal by the Senate President Hon.-Prof. Dr. Gitschthaler as chairman, the court councilors Univ.-Prof. Dr. Kodek and Dr. Nowotny, the court councilor Dr. Faber and Hofrat Mag. Pertmayr as further judges in the case of the plaintiff, Verein für Konsumenteninformation, 1060 Vienna, Linke Wienzeile 18, represented by Kosesnik-Wehrle & Langer Rechtsanwälte KG in Vienna, against the defendant U ***** GmbH , *****, represented by Pressl Endl Heinrich Bamberger Rechtsanwälte GmbH in Salzburg, for omission and publication of the judgment, on the appeals by both parties against the judgment of the Linz Higher Regional Court as the court of appeal of November 26, 2020, GZ 3 R 128 / 20v-15 , with which the judgment of the Salzburg Regional Court of August 14, 2020, GZ 4 Cg 67 / 19w-9, was partially amended, rightly recognized in a closed session and decided:<br />
<br />
<br />
Saying<br />
<br />
The appeal of the defendant, insofar as it is against the cease-and-desist clause 1.1. of the appeal judgment (Clause 1), not given.<br />
Insofar as it is directed against the omission requirement item 2 of the appeal judgment (business practice 1), the appeal of the defendant will be followed and the dismissing decision of the first court (there item 3.1. Of the judgment) will be restored.<br />
With regard to point 4 of the judgment of the appellate court, the proceedings will be interrupted until the decision of the European Court of Justice on the request for a preliminary ruling made by the Supreme Court on November 25, 2020 re 6 Ob 77 / 20x. Once the preliminary ruling has been received, the proceedings will be continued ex officio.<br />
The decision on the request of the plaintiff to authorize it to publish the plaintiff's verdict, as well as the request of the defendant to authorize it to publish the dismissing verdict, are reserved for the final decision.<br />
The decision on the costs of the appeal proceedings is reserved for the final decision.<br />
<br />
<br />
text<br />
Reasons for the decision:<br />
[1] The plaintiff is an association entitled to sue within the meaning of § 29 KSchG.<br />
[2] The defendant is a mail order company operating throughout Austria, which continuously concludes contracts with consumers. It bases its contracts on general terms and conditions, which include the following clauses:<br />
"9. Payment:<br />
What payment options do you have for your order?<br />
9.1. Purchase on invoice:<br />
In the case of purchase on account (payment by bank transfer), the invoice amount is due within 14 days of receipt of the goods.<br />
9.2. Partial payment:<br />
With us, you have the option of making partial payments if you have the appropriate creditworthiness and an order value of up to EUR 4,000.00. You can find more information, in particular about the amount and number of installments, at www.u *****. At / part-payment.<br />
In the case of an advance payment, the amount of the agreed installments is reduced and the total burden is lower. The balance remaining after the advance payment can be paid in partial amounts. For the 1st month after purchase, no installment costs are charged. From the 2nd month onwards, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account settlement, this results in an effective interest rate of 21.7% p.a. By sending you an account statement by post or email, we will inform you about your current account balance on a monthly basis. You are deemed to have approved the account balance if you do not object to it within two months of receipt.<br />
9.3. Credit card:<br />
You can pay with us online by credit card. Simply select credit card under payment method. We accept Mastercard, Visa, Diners Club and Discover (no prepaid credit cards). In addition to the credit card company, the card number and the period of validity, we need the check digit of your credit card. The check digit is a three-digit number on the back of your credit card that ensures payment security on the Internet.<br />
9.4. Advance payment:<br />
We reserve the right to make the delivery of the goods dependent on an advance payment.<br />
9.5. PayPal:<br />
[...] "<br />
[3] Via the link “www.u *****. At / part-payment” you get to an installment calculator. There, the customer can enter the term of the installment payments within a specified range. The maximum term is 48 months, the minimum monthly rate is EUR 10. When you enter the item price and the desired term, the system calculates the installment surcharge, the monthly minimum installment, the amount of the last installment, the final installment price and indicates the effective annual interest rate.<br />
[4] The information on the credit check can be found in the data protection information of the defendant (www.u *****. At / datenschutz), which has the following content in excerpts:<br />
"3.2.2.2. Credit checks:<br />
If you have selected a so-called insecure payment method (purchase on account or installment purchase) when placing an order, the following applies:<br />
U ***** and other mail order companies of the O ***** - Group basically give their customers the opportunity to purchase goods using unsafe payment methods (e.g. purchase on account, purchase on finance).<br />
[...]<br />
Companies that generally allow their customers to use unsafe payment methods have a legitimate interest in protecting themselves as well as possible from the occurrence of payment defaults. This is done, among other things, by checking the creditworthiness of the customer before granting the option of using insecure payment methods. As part of this check, we are entitled to ask U ***** GmbH whether they have received negative credit information about the respective customers from the other mail-order companies of the O ***** Group. Furthermore, we are entitled to transmit negative creditworthiness information on the respective customers to U ***** GmbH, which in turn can provide information to the above-mentioned other mail-order companies of the O ***** Group before these other mail-order companies give the customer the option of using unsafe payment methods.<br />
The creditworthiness information is information about outstanding payment claims and information from which there is a direct risk of payment default (e.g. insolvency, debt counseling, deferral due to insolvency). Before we transmit negative information about outstanding payment claims to U ***** GmbH, the customers concerned are informed of the possibility of transmission on a reminder. We are also entitled to transmit information about extremely atypical order processes (e.g. simultaneous ordering of a large number of goods to the same address using different customer accounts) to U ***** GmbH and to request such information from U ***** GmbH. This is to avoid payment defaults and to protect our customers from misuse of their accounts or their identity.<br />
In cases in which a customer wants to order with an insecure method of payment, we are entitled to use information received as part of the order to calculate a probability of default (internal scoring). The calculation of the failure probability by means of the internal scoring is based on a recognized mathematical statistical procedure. The data used as part of the internal scoring result in particular from a combination of the following data categories (not exhaustive): address data, age, desired payment conditions, order method and product range groups. As part of the internal scoring, only data that the customer has given us is used. On the basis of the named data categories, conclusions can be drawn about the probability of default on payment due to the mathematical statistical procedure used. For example, a certain place of residence of the person placing the order, combined with a certain category of goods, can lead to an increased probability of default and thus a restriction on the payment method. There is no payment type restriction based solely on the place of residence of the person placing the order. In addition, it has been statistically proven, for example, that there is a lower risk of payment default when using a chargeable e-mail provider than is the case when using a free provider. As part of the examination of whether an unsafe method of payment (installment / purchase on account) can be granted, we are also entitled to obtain credit information about you from an external credit agency. We work with the following credit agency C ***** GmbH, *****.<br />
For the purpose of calling up creditworthiness information, the following data is transmitted to the external credit agency: first name, last name, postal address, date of birth and, in the event of default in payment, the outstanding balance. The data mentioned can also be transmitted to C ***** GmbH, ***** for the purpose of personal and address validation and for fraud prevention (see also the following point).<br />
As part of the credit check, we can use an automated process to decide whether you will be given the desired unsecure payment method (installment / purchase on account). For example, when a negative credit report is sent by a credit agency or when an insufficient score is calculated as part of the internal scoring, the desired payment method can be automatically rejected. You can assert the right to us to manually review the automated decision. In addition, you have the right to express your own point of view and the right to contest the decision.<br />
The processing of your data as part of the credit check is based on Article 6 Paragraph 1b GDPR and Article 6 Paragraph 1f GDPR. We basically have a legitimate interest in carrying out a credit check when you select an unsafe payment method (installment / purchase on account). "<br />
[5] Under the heading “Data protection notice” and the text “Information on payment method restrictions: You would like to know why you cannot use all payment methods with us? We will be happy to provide you with information here. ", The customer arrives at a link with the title" Request information ".<br />
[6] Over 90% of the orders placed with the defendant are made online, the remaining 10% by telephone. The average order value is EUR 650.<br />
[7] In the case of an online order, the payment method "purchase on account" is preset. If a customer wants partial payment, he has to change the payment option himself.<br />
[8] In the case of an initial order, the defendant limits the order value to EUR 500 in the case of an installment purchase or purchase on account; this limit is gradually increased for subsequent orders if there have been no defaults in payment.<br />
[9] In the case of a new customer who orders on open account or partial payment, an inquiry is automatically made to the credit agency with the data provided by the customer. If the customer is unknown there, the defendant rejects a business relationship with partial payment or on account and notifies the customer that he would be supplied via credit card or PayPal. If the customer is known, there are three ways of scoring with three different colors. If the color is red, the unsecure payment method is also rejected, if it is yellow, an employee of the defendant checks, and if it is green, the order is accepted. In the case of a yellow scoring, the employee himself inspects the database and decides whether and, if so, under what conditions the order will be released.<br />
[10] If a customer makes use of the option of requesting information, further information is obtained, for example the request for proof of income.<br />
[11] The plaintiff association desires - insofar as it is still the subject of the appeal proceedings - to oblige the defendant to refrain from using the following clauses in general terms and conditions or contract forms in business dealings with consumers:<br />
(Clause 1 = point 1.1. Of the judgment of the court of appeal): "From the second month onwards, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account offsetting, this results in an effective interest rate of 21.7% p.a. "<br />
[12] Furthermore, he seeks to oblige the defendant in accordance with § 28a KSchG to refrain from doing business with consumers in connection with consumer credit relationships,<br />
(Business practice 1 = point 2. of the judgment of the court of appeal): "To agree on partial payment purchases and / or partial payment options with a total credit of at least EUR 200 to pay consumers for goods purchased without checking the creditworthiness of the consumer on the basis of sufficient information, in particular without To obtain information on the income situation and / or financial situation of these consumers; ”as well as<br />
(Business practice 2 = point 4 of the judgment of the appellate court): "to carry out the credit check when lending on the basis of a scoring, without granting the consumer the right to express his own point of view and to contest his classification."<br />
[13] Furthermore, the plaintiff association applied for authorization to publish the judgment.<br />
[14] The defendant requested that the action be dismissed as well as authorization to publish the judgment dismissing the complaint, and, in the event that the action was upheld, the setting of a performance period of at least six months.<br />
[15] The first court granted the cease and desist and publication requests with regard to clauses 1 and 2 without setting a performance deadline and dismissed the further claim and the counter-publication request of the defendant.<br />
[16] The appeals court partially followed the appeals of both parties. It confirmed the admission of the action with regard to clauses 1 and 2, whereby it set a six-month performance period, and changed the judgment of the first court with regard to business practice 1 in the plaintiff's sense, also with a six-month performance period.<br />
[17] It allowed the appeal because it was partly about clauses or business practices that had not yet been assessed by the Supreme Court and that were important for a larger number of consumers.<br />
[18] In their opposing revisions, the parties in dispute request the amendment of the decision of the appellate court in the sense of a complete lodging of the complaint or a dismissal of the complaint, whereby the defendant does not contest the approval of the complaint with regard to the omission of clause 2 (point 1.2. Of the appeal judgment). In the alternative, the defendant files an application for annulment.<br />
[19] The plaintiff requests that the defendant's appeal be dismissed or, in the alternative, that it should not be followed. The defendant requests that the plaintiff's appeal be disregarded.<br />
[20] The revisions of both parties are permissible. The defendant's revision is partly justified.<br />
[21] The submissions of the parties as well as the reasons for the decision of the lower courts are presented when dealing with the disputed clause and the disputed business practices.<br />
<br />
<br />
Legal assessment<br />
[22] A. On the defendant's appeal:<br />
[23] The defendant's revision is permissible because the requirements for the credit check in accordance with Section 7 (1) VKrG require clarification. It is partially justified.<br />
[24] Regarding clause 1: "From the second month, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account offsetting, this results in an effective interest rate of 21.7% p.a. "<br />
[25] The plaintiff complains that the clause is not transparent because it is not pointed out that the defendant derives the right to charge compound interest during the year from the monthly capitalization. The clause is also grossly disadvantageous within the meaning of Section 879 Paragraph 3 ABGB, because the accounting period is shortened to one month in deviation from Section 355 Paragraph 2 UGB. The amount of the effective interest rate is grossly disadvantageous and violates § 934 ABGB. In addition, it is not evident that the effective interest rate results from the compound interest effect.<br />
[26] The defendant denies the claims. There was no lack of transparency because the effective annual interest rate was stated and it was clearly recognizable that the difference to the annual interest rate could only result from the compound interest effect (and not from the inclusion of processing fees or the like).<br />
[27] The lower courts forbade the clause because it violated the transparency requirement of Section 6 (3) KSchG. The creditor of a monetary claim can only demand compound interest according to Section 1000 (2) sentence 1 ABGB if the parties have expressly agreed to this. According to the case law, the agreement of the capitalization of interest during the year is not transparent if the user of the terms and conditions does not point out the resulting compound interest effect. The lack of transparency is also not eliminated by listing the monthly interest rate, the annual interest rate and the effective annual interest rate or by using the rate calculator, because the annual interest rate can also result from other cost factors such as commissions, costs of contract establishment, processing fees, etc., so that the average consumer can choose the difference between the annual interest rate and the effective annual interest rate does not have to infer the agreement of compound interest.<br />
[28] The revision is not justified.<br />
[29] 1.1. According to Section 1000 (2) sentence 1 ABGB, compound interest is due - as the appellate court has already correctly pointed out - only in the case of an "express" agreement between the parties. It is necessary that the compound interest is conditional, for which sufficiently clear conclusive explanations are sufficient (Perner in Schwimann / Kodek, ABGB4 § 1000 Rz 17 and Fn 50; Ertl in Fenyves / Kerschner / Vonkilch, Klang³ § 1000 ABGB Rz 15; Dullinger in Artmann , UGB³ § 355 margin no. 3). The agreement of compound interest in the General Terms and Conditions of the defendant must also meet the requirements of Section 6 (3) KSchG.<br />
[30] 1.2. According to the established case law of the Supreme Court, the reference to an account closing during the year or the reference to the fact that interest is "calculated, capitalized and charged" during the year is not sufficient to make the consumer realize that compound interest should also be charged. Such clauses were therefore regularly judged to be non-transparent within the meaning of Section 6 (3) KSchG (1 Ob 124 / 18v [Clause 17]; 9 Ob 11 / 18k [Clause 6]; 8 Ob 128 / 17g [Clauses 7 and 8]; 10 Ob 31 / 16f [Clause c]; 4 Ob 179 / 02f [Clause Z 38 Paragraph 1]; see RS0117273).<br />
[31] 1.3. The present clause does not expressly provide for an account closing during the year, but rather the "current account settlement" of the partial payment costs, which are specified as 1.65% per month (19.8% p.a.) of the outstanding balance; The effective interest rate of 21.7% p.a. resulting from "current account settlement" is also given.<br />
[32] 2.1. The current account agreement is regulated in Section 355 of the UGB. Section 355 (1) of the Austrian Commercial Code defines the current account agreement as an agreement with an entrepreneur with whom someone has a business relationship, that the mutual claims and services arising from the connection, plus interest, are invoiced and at regular intervals by offsetting and determining the amount for one or the other the other part of the resulting surplus will be compensated. According to Section 355, Paragraph 4, Clause 4 of the Austrian Commercial Code, anyone who is entitled to a surplus when closing the accounts can demand compound interest.<br />
[33] 2.2. If one or more features of the current account defined by law in Section 355 (1) UGB are missing, such as the entrepreneurial status of a part or the permanent business relationship, one speaks of an improper current account agreement to which the current account law can apply analogously (1 Ob 83 / 01i). For example, the analogous application of § 355 UGB was affirmed for the case of an agreement between non-entrepreneurs (1 Ob 83 / 01i; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 4).<br />
[34] 2.3. On the basis of the regulation of § 1000 Paragraph 2 Sentence 1 ABGB, it is assumed when an improper current account relationship is agreed that compound interest is only due if expressly agreed (within the meaning of § 1000 Paragraph 2 Sentence 1 ABGB) (cf. 1 Ob 83 / 01i; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 4; aM Dullinger in Artmann, UGB³ § 355 Rz 3).<br />
[35] 2.4. The current account must be based on a business relationship established for a certain period of time, which means that the repeated conclusion of transactions can be expected (Dullinger in Artmann, UGB³ § 355 Rz 4; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 5) . Whether a single purchase in installments can already meet this requirement (critical for assessing an installment credit as a current account relationship Dullinger in Artmann, UGB³ § 355 Rz 4) or whether the (qualified) business relationship required by § 355 (1) UGB is missing when concluding a single purchase in installments, so that there is at most an "improper" current account relationship does not have to be conclusively assessed in the present case:<br />
[36] 3.1. Because even under the assumption that the agreement of a "current account settlement" in the case of a hire purchase would already be directly subject to § 355 UGB, this would not change the fact that the clause to be assessed here is not clear and understandable for the consumer regarding the accrual of compound interest within the meaning of § 6 Paragraph 3 of the KSchG. For the economically inexperienced average customer of a mail order company, neither the use of the term "current account" nor the indication of the different interest rates results in the fact that a periodic determination of the outstanding invoice amount including capitalization of the "partial payment costs" and their (renewed) Interest takes place. This does not result from the difference between the annual interest rate and the effective annual interest rate disclosed in the clause. The appellate court has already correctly stated that such a difference can also have reasons other than the offsetting of compound interest (Section 510 (3) ZPO). In addition, the duration of the billing period of one month can only be deduced from the specification of a monthly interest rate for the installment costs. The fact that with the regulation of the "current account settlement" in truth only the monthly settlement of compound interest is to be effected is therefore not generally recognizable for the average consumer. Insofar as the revision argues that the effective annual interest rate can only exceed the stated annual interest rate because of the compound interest effect, because no other costs would flow into it, this circumstance is not immediately apparent to the consumer from the disputed clause.<br />
[37] 3.2. If it is further argued in the revision that the financial burden is easily recognizable for the consumer through the indication of the effective annual interest rate and through the instrument of the rate calculator, nothing can be gained from this for the defendant. If the effective agreement of compound interest is missing - due to a violation of the transparency requirement of § 6 Abs 3 KSchG - the defendant is not entitled to the specified effective interest rate and the total amount determined by the installment calculator.<br />
[38] The defendant's appeal against the prohibition of Clause 1 is therefore not justified.<br />
<br />
[39] Regarding business practice 1: The defendant's business practice of agreeing partial payment purchases and / or partial payment options with a total credit of at least EUR 200 to pay for the goods purchased by consumers from her is objected to, without the creditworthiness of the consumer based on sufficient To check information, in particular without obtaining information on the income situation and / or financial situation of these consumers.<br />
[40] The plaintiff sees a systematic violation of the obligation to carry out a credit check according to § 7 VKrG in the fact that the defendant does not collect any information about the consumer's income and other liabilities in the case of installment transactions. In response to the plaintiff's letter of warning, the defendant justified its high interest rate with the fact that no collateral had to be provided for the loans it had granted and no evidence of employment or regular cash inflow had to be provided. The database query and the analysis of previous purchasing behavior did not allow any conclusions to be drawn about income and no prognostic decision as to whether the consumer would be able to meet his payment obligations in full. The database query can be used to obtain information about the consumer's income and assets, but it cannot replace it.<br />
[41] The defendant counters this by saying that obtaining information from a database, specifically by making an inquiry to the specified credit bureau, fulfills the requirements of Section 7 of the VKrG. In any case, the entrepreneur does not have to approach the consumer. The scope of the investigation obligations depends on the individual case and is lower in the case of small goods loans than in the case of typical bank loans. The defendant allows partial payments for purchase prices between EUR 50 and EUR 4,000 with a term of no more than four years; the majority of the consumer loans granted are around the average amount of EUR 650.<br />
[42] The first court dismissed the request for an injunction aimed at the omission of business practice 1.<br />
[43] The appeals court granted the injunction. Legally, it discussed that the lender had to carry out the credit check on the basis of sufficient information. In order to assess the creditworthiness, the current income and liquid funds of the consumer should first be used and compared with the costs of the loan and the current repayment; a database query should only be carried out if this was additionally necessary.<br />
[44] In its appeal, the defendant asserts that there is no provision for prioritizing the procurement of information and that the credit check can be designed flexibly. Consumers' income and financial situation always show certain fluctuations and uncertainties, which have an impact especially in the case of low monthly payments, so that the information to be obtained from the consumer must be higher, the lower the loan amount. In such cases, however, obtaining detailed information is unusual and does not provide a more reliable statement about creditworthiness than the credit information obtained and the observation of ongoing consumer behavior. Obtaining information is therefore sufficient for small goods loans.<br />
[45] The appeal is justified.<br />
[46] 1.1. Anyone who violates a legal requirement or prohibition in business dealings with consumers in connection with consumer credit relationships and thereby affects the general interests of consumers can be sued for an injunction without prejudice to Section 28 (1) KSchG (Section 28a (1) KSchG).<br />
[47] 1.2. Section 28a KSchG extends the scope of representative actions to include illegal business practices by entrepreneurs in business dealings with consumers, limited to the contractual relationships and non-contractual legal relationships specified in Section 28a (1) KSchG (10 Ob 13 / 17k; 7 Ob 168 / 17g; Kathrein / Schoditsch in KBB6 § 28a KSchG margin no.1). The behavior complained of must also be of importance for a large number of contracts or non-contractual legal relationships, which is especially the case for illegal behavior in mass business (RS0121961). This is to effectively prevent any behavior found to be inadmissible under the law that has developed into a practice of the respective entrepreneur (6 Ob 228 / 16x).<br />
[48] 1.3. The right to cease and desist - including that according to § 28a KSchG (cf. 10 Ob 13 / 17k; 4 Ob 179 / 18d [Business Practice 2], etc.) - is substantiated by two elements: an obligation to cease and desist and the risk that this obligation to cease and desist is violated. If one of these elements is missing, there is no right to cease and desist (RS0037660).<br />
[49] 2.1. The subject of the claim for action and the verdict is always only the specific infringing act (RS0037478 [T2, T5]). However, it is permissible to describe the inadmissible behavior in a generalized way and to clarify it by means of "especially" listed individual bans. Even with such a more general version of the injunction, the verdict must cover the core of the infringing act (4 Ob 206 / 19a; 9 Ob 57 / 20b).<br />
[50] The claim is to be understood as it is meant by the plaintiff in conjunction with the claimant's account (RS0037440).<br />
[51] 2.2. The core of the business practice 1 complained of by the plaintiff consists in giving consumers the option of partial payment without obtaining information on income “and / or” assets for the purpose of checking creditworthiness. After the request for a judgment and the submission of the action in its entirety, the plaintiff association seeks a ban that is not restricted to specific groups of cases or the existence of specific circumstances; Rather, he takes the position that the information mentioned must always be obtained for the partial payment transactions offered by the defendant.<br />
[52] The defendant did not claim that it obtained information on the income situation or the assets of its prospective buyers before granting a partial payment option. Only when a consumer requests information about the reasons why he cannot use all payment methods from the defendant (i.e. after rejecting an “unsafe” payment method requested by the consumer) does the defendant request proof of income, for example.<br />
[53] 2.3. It must therefore be examined whether the defendant, by systematically granting consumers the option to pay in installments without obtaining information about their income and / or assets, violates a legal prohibition, specifically § 7 VKrG. The decisive factor is whether the obligation can be derived from Section 7 VKrG to always provide information about the income and / or the assets of the defendant in the case of partial payment transactions, as offered by the defendant, from a credited purchase price of EUR 200 (see Section 4 (1) VKrG) To catch up with prospective buyers.<br />
[54] It should be made clear in this context that the injunction does not simply cover the execution of the credit check without obtaining information about the income and / or assets of the prospective buyers, but only the procedure of granting consumers partial payment options without having obtained such information. The practice of refusing to allow partial payment without obtaining information about the income and / or asset situation is therefore not objected to.<br />
[55] 3.1. According to § 7 VKrG applicable to hire purchase contracts in accordance with § 25 Paragraph 1 VKrG (see Foglar-Deinhardstein in Fenyves / Kerschner / Vonkilch, Klang³ § 25 VKrG margin no. 69), the lender must check the creditworthiness of the consumer using sufficient information before concluding the credit agreement, which he - if necessary - demands from the consumer; if necessary, he must also obtain information from an available database (Section 7 (1) VKrG). If this check reveals considerable doubts about the ability of the consumer to fully fulfill his obligations under the credit agreement, the lender must inform the consumer of these concerns about his creditworthiness (Section 7 (2) VKrG).<br />
[56] With this, the obligation of the lender to assess the creditworthiness of the consumer in accordance with Article 8 Paragraph 1 of the Consumer Credit Directive (Directive 2008/48 / EC on consumer credit agreements) was implemented in Austrian law. According to Article 8 (1) of the Consumer Credit Directive, the member states ensure that, before concluding the credit agreement, the lender assesses the creditworthiness of the consumer on the basis of sufficient information that he may obtain from the consumer and, if necessary, on the basis of information from the database in question. Those Member States that legally oblige lenders to assess creditworthiness on the basis of a query in a corresponding database can retain this requirement.<br />
[57] 3.2. The obligation of the lender to assess the creditworthiness of the consumer in accordance with Article 8 Paragraph 1 of the Consumer Credit Directive is intended to protect consumers from irresponsible granting of credit that exceeds their financial capabilities and can lead to their insolvency (ECJ April 27, 2014, C- 565/12, LCL Le Crédit Lyonnais SA, ECLI: EU: C: 2014: 190, margin no. 42 f). In addition, the credit check prescribed by Union law is intended to serve the general interest in a functioning credit industry in the internal market (Recital 6, 7 Consumer Credit Directive; Pesek in Klang³ § 7 VKrG margin no. 1).<br />
[58] 3.3. According to Section 7 (1) VKrG and Article 8 (1) Consumer Credit Directive, the lender must determine the facts that are relevant for assessing creditworthiness (Pesek in Klang³, Section 7, margin no.27). As a means of information, in Section 7 (1) VKrG as well as in Art 8 Consumer Credit Directive, the gathering of information from the consumer and the gathering of information from an available database are mentioned.<br />
[59] The creditworthiness is not to be understood as the creditworthiness in the banking sense. Rather, it is about the assessment of whether the consumer will probably be able to meet his payment obligations from the loan agreement in full, without being pushed to the edge of his economic existence (ExplanationRV 650 BlgNR 24. GP 17; Pesek in Klang³ § 7 VKrG Rz 6 f; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law [2010] § 7 VKrG Rz 6 f; see Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 4 ff ).<br />
[60] 4.1. What content the information must have in order to be regarded as sufficient within the meaning of Section 7 (1) VKrG is not described in more detail by law.<br />
[61] 4.2. In the literature it is consistently stated that the regular (net) income of the consumer and his other liquid assets must be taken into account in the credit check (Pesek in Klang³ § 7 VKrG margin no.10; Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG margin no 9; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG margin no. 9; Dehn in Apathy / Iro / Koziol, Austrian bank contract law IV² [2012] margin no. 2/54). However, the inclusion of non-liquid assets in the creditworthiness check is disputed (for: Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 9; Pesek in Klang³ § 7 VKrG Rz 12; on the other hand: Wendehorst, What is creditworthiness? In Blaschek / Habersberger , Worthy of a loan? 29 f; Foglar-Deinhardstein, The credit check for consumer credit [2013] margin nos. 237 ff; Weissel, consumer credit: Inquiry obligations of the bank, RdW 2014, 176, 179; ders, The protection provided by § 7 VKrG under civil law: legal beneficence oder Irrweg, ZFR 2012, 208, 210; differentiating [between smaller consumer loans and loans for the creation of housing, which were also covered by § 7 VKrG up to the entry into force of the HIKrG on March 21, 2016] Zöchling-Jud in Wendehorst / Zöchling-Jud , Consumer credit law [2010] § 7 VKrG margin no. 10; Dehn in Apathy / Iro / Koziol, Austrian bank contract law IV² margin no. 2/55). The consumer's income and cash and cash equivalents as well as - depending on the legal opinion represented - other assets are to be compared with the regular burdens of the consumer (Pesek in Klang³ § 7 VKrG Rz 17; Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 10, 12; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG margin no.12).<br />
[62] 4.3. It is agreed that the extent of the lender's duty to investigate depends on the circumstances of the individual case, with regard to the amount of the loan value disbursed, the duration of the loan, the informative value and credibility of the information provided by the consumer as well as the existence or duration and intensity the business relationship between the lender and the consumer is important (Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 14; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG Rz 14; 8 Ob 76 / 16h).<br />
[63] 4.4. In this sense, Leupold / Ramharter argue for small (commodity) loans that the lender's exploration obligations are limited; In this context, they refer to information from databases and reject any further credit check that is incompatible with the goal of efficient markets (Leupold / Ramharter, The violation of the duty to warn of poor creditworthiness under the Consumer Credit Act, ÖBA 2011, 469, 486).<br />
[64] 4.5. The content of the "sufficient" information according to Section 7 (1) VKrG must also be specified depending on the circumstances of the individual case. Only in this way, with the help of the statutory general clause, can the legal obligations for the wide range of consumer loans covered by Section 7 (1) VKrG - which includes financial aid within the meaning of Section 25 (1) VKrG, up to large bank loans - be made possible.<br />
[65] 4.6. This interpretation is in line with the case law of the ECJ on Article 8 (1) of the Consumer Credit Directive.<br />
[66] In the case of CA Consumer Finance SA, the ECJ made it clear that the directive does not conclusively specify the information on the basis of which the lender has to assess the creditworthiness of the consumer, nor does it specify in more detail whether and how this information is to be checked . Rather, the lender has a margin of discretion when it comes to whether the information he has is sufficient to certify the creditworthiness of the loan applicant and whether he has to check this against other criteria. The lender must therefore assess in each case, taking into account the circumstances of the individual case, whether the information available to him by the loan applicant is relevant and sufficient. Whether the information is sufficient can vary depending on the circumstances of the conclusion of the credit agreement, the personal situation of the consumer or the credit volume provided for in the contract (ECJ December 18, 2014, C-449/13, CA Consumer Finance SA, ECLI: EU : C: 2014: 2464, margin no.36 f).<br />
[67] 4.7. The lender is therefore not required to obtain information on the income or financial situation of the consumer or on both aspects in addition to obtaining information from an external credit bureau in the case of small goods loans.<br />
[68] 5.1. According to the findings, the defendant obtains information from an external credit agency before granting partial payment options to new customers and limits the loan amount to EUR 500; for existing customers, it uses any negative credit information available in the group of companies. In addition, she uses the amount of the loan for her decision-making; In addition, there are other factors that are not related to the creditworthiness within the meaning of Section 7 (1) VKrG, such as the residential address.<br />
[69] 5.2. Particularly in the case of the small loans of goods from a loan amount of EUR 200 or more that are covered by the injunction, the consideration of existing negative creditworthiness information, as can be derived from the information available in the group of companies as well as from the information provided by the credit bureau, does not appear to be entirely unsuitable for credit checks. This is also not claimed by the plaintiff association. Especially in the case of very low loan amounts (from EUR 200) it is not evident that additional knowledge of the net income (at least, unless it is associated with a detailed survey of all, even minor financial burdens) necessarily enables a more reliable assessment than the query whether due to existing “negative creditworthiness information”, the collectability of even very small loan amounts must be called into question from the outset. The same considerations apply to the need to identify the consumer's realizable assets.<br />
[70] 5.3. Whether the business practice objected to by the plaintiff association, when granting partial payment options in addition to obtaining information from an external credit agency, not to obtain information about the income and / or asset situation of consumers, violates § 7 VKrG, cannot be answered in general, but depends on the circumstances of the case.<br />
[71] It cannot be ruled out that the partial payment options granted by the defendant exist in which it is necessary to obtain information about the income situation or the financial situation of the consumer or about both. However, the request for an injunction does not focus on more specific cases, but aims to forbid the defendant, in all cases, from agreeing on partial payment purchases or partial payment options with consumers with a total credit of at least EUR 200, without information on the income situation and / or their financial position to catch up.<br />
[72] However, this request is not justified because of the discretion granted to the lender in the credit check. The revision is therefore justified insofar as it is directed against the prohibition of the objected business practice 1. The judgment of the first court had to be restored to this extent.<br />
<br />
[73] B. On the plaintiff's appeal:<br />
[74] The appeal by the plaintiff is permissible because the active legitimation of the plaintiff association according to §§ 28a, 29 KSchG to assert violations of the GDPR has not been conclusively clarified.<br />
[75] Regarding the performance period (Clause 1):<br />
[76] The appellate court set the deadline for the omission of the use and the appeal to the clause 1 because of the necessary organizational measures for the EDP conversion with six months. Such a necessity is understandable in the present case, in which the inadmissible clause also affects the settlement of all ongoing partial payment contracts (see RS0041265 [T12]). The performance deadline set by the court of appeal is therefore not objectionable in the present individual case.<br />
[77] Regarding business practice 2:<br />
[78] The defendant's business practice of carrying out the credit check when lending is based on a scoring without giving the consumer the right to express his own point of view and contest his classification is objected to.<br />
[79] With this request for an injunction, the plaintiff did not object to the "internal scoring" practiced by the defendant, but to the decision based on the classification made by the external credit agency. The procedure violates Art 22 GDPR for reasons explained in detail.<br />
[80] The defendant objected that the plaintiff association was not granted any active legitimation regarding data protection information obligations. The alleged violation of Art 22 GDPR did not exist.<br />
[81] The first court dismissed the claim because the defendant's approach was in accordance with Section 7 VKrG and Article 22 GDPR.<br />
[82] The appellate court confirmed the dismissal of the action on the grounds that the plaintiff association lacks the active legitimation to assert data protection violations.<br />
[83] As a significant legal issue, the appeal claims that the appellate court disregarded the fact that the systematic violation of Art 22 GDPR occurred in connection with consumer credit relationships, so that the collective action according to § 28a KSchG was opened.<br />
[84] 1. In proceedings 6 Ob 77 / 20x, the Supreme Court submitted the following question to the European Court of Justice for a preliminary ruling (RS0133358):<br />
Are the regulations in Chapter VIII, in particular in Art. 80 Paragraphs 1 and 2 and Art. 84 Paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons during processing personal data, on the free movement of data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation, OJ L 119/1 of May 4, 2016, p. 1; hereinafter "GDPR") contrary to national regulations that - in addition to the powers of intervention of the supervisory authorities responsible for monitoring and enforcement of the regulation and the legal protection options of the data subjects - on the one hand, to grant competitors and, on the other hand, the authority to associations, institutions and chambers authorized under national law, regardless of the violation of specific rights of individual data subjects, because of violations of the GDPR and without the instruction of a person concerned against the infringer by way of an action before the civil courts under the Ges Prohibition of engaging in unfair business practices or violating consumer protection law or prohibiting the use of ineffective general terms and conditions?<br />
[85] 2.1. The plaintiff in the present proceedings is the same association authorized to take legal action under § 29 KSchG who intervenes on 6 Ob 77 / 20x - there based on § 28 KSchG. In the present proceedings, based on § 28a KSchG, he seeks the omission of a business practice used by the defendant in connection with consumer credit relationships, which violates the GDPR.<br />
[86] 2.2. The question of whether the plaintiff is legitimized to assert violations of the GDPR by way of a representative action according to § 29 KSchG is also relevant for the decision of the present legal dispute, because the question of whether the Union legislature with the legal protection instruments provided for in the GDPR is possibly a wanted to create a final regulation for the enforcement of data protection violations, also for lawsuits against business practices that are in connection with the legal relationships mentioned in § 28a KSchG, is essential for the decision.<br />
[87] For example, the Supreme Court referred its request for a preliminary ruling on 6 Ob 77 / 20x also to the representative action "from the point of view of a violation of a consumer protection law" - i.e. in accordance with § 28a KSchG - (cf. . 2020, I ZR 186/17 [Rz 47, 57 ff]).<br />
[88] 3. The Supreme Court of Justice has to assume a general effect of the preliminary ruling of the European Court of Justice and to apply this also for other than the immediate case. For reasons of process economy, the present procedure must therefore be interrupted (RS0110583).<br />
<br />
[89] C. Regarding the publication requests:<br />
[90] Because of the interruption of the proceedings with regard to the request for an injunction regarding business practice 2 (violation of the GDPR), the requests for publication made by both parties cannot be conclusively decided. A partial judgment is not appropriate here because further publication after the final judgment is available would entail additional costs that would not be incurred in the case of joint publication (Ciresa, Handbuch der Judgment Publication4 [2017] margin no. 4.28; RS0079937 [T1]).<br />
<br />
[91] D. Decision on costs:<br />
[92] The reservation of costs is based on Section 52 (4) ZPO.<br />
<br />
<br />
European Case Law Identifier<br />
ECLI: AT: OGH0002: 2021: 0060OB00048.21H.0806.000<br />
<br />
<br />
</pre></div>JShttps://gdprhub.eu/index.php?title=OGH_-_6Ob48/21h&diff=20311OGH - 6Ob48/21h2021-10-01T11:58:14Z<p>JS: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=OGH<br />
|Court_With_Country=OGH (Austria)<br />
<br />
|Case_Number_Name=6Ob48/21h<br />
|ECLI=ECLI:AT:OGH0002:2021:0060OB00048.21H.0806.000<br />
<br />
|Original_Source_Name_1=RIS<br />
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=4530863f-3472-44c4-9677-4f6b4edaecdb&Position=1&Abfrage=Justiz&Gericht=&Rechtssatznummer=&Rechtssatz=&Fundstelle=&AenderungenSeit=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=DSGVO&Dokumentnummer=JJT_20210806_OGH0002_0060OB00048_21H0000_000<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=06.08.2021<br />
|Date_Published=22.09.2021<br />
|Year=2021<br />
<br />
|GDPR_Article_1=Article 80 GDPR<br />
|GDPR_Article_Link_1=Article 80 GDPR<br />
<br />
<br />
|National_Law_Name_1=§ 28a KSchG<br />
|National_Law_Link_1=https://www.jusline.at/gesetz/kschg/paragraf/28a<br />
|National_Law_Name_2=§ 29 KSchG<br />
|National_Law_Link_2=https://www.jusline.at/gesetz/kschg/paragraf/29<br />
<br />
|Party_Name_1=Verein für Konsumenten Information (VKI)<br />
|Party_Link_1=https://verbraucherrecht.at/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Pending appeal<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=[https://gdprhub.eu/index.php%3Ftitle=UODO_-_ZSO%C5%9AS.421.25.2019 janniks]<br />
}}<br />
<br />
The Austrian Supreme Court decided to put a case on hold until the CJEU determined whether the GDPR precludes national legislation that grants consumer organisations the legitimacy to take legal action without a mandate and a violation of the rights of a particular individual.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The plaintiff (the Austrian association Verein für Konsumenten Information) sued the defendant (an online shopping platform operating throughout Austria) over several business practices, terms and conditions they found in violation with consumer protection law and the GDPR. More precisely, the association criticized several non-transparent contractual clauses on interests and creditworthiness checks as well as the defendant making decisions based on classifications by external credit scoring agencies in violation of [[Article 22 GDPR|Article 22 GDPR]].<br />
<br />
The defendant argued that the association had no right to take legal action under applicable data protection law. In this regard, the appealing court already decided that the association lacks the legitimacy to assert data protection violations.<br />
<br />
=== Holding ===<br />
The OGH decided that the previous court failed to take into account that the systematic infringement of [[Article 22 GDPR|Article 22 GDPR]] in connection with consumer credit ratings could in fact allow the association to take legal action under the GDPR. The court decided that the appeal is admissible because the legitimacy of the plaintiffs associations under §§ 28 and 29 of the Austrian Consumer Protection Act (Konsumentenschutzgesetz - KSchG) is not ultimately clarified. The court refers to a parallel case of the plaintiff currently pending at the CJEU as part of an preliminary ruling procedure.<br />
<br />
In this regard, the CJEU has to decide on whether the GDPR precludes national rules from granting associations the power to take legal action against unfair business practices or violations of consumer protection laws without a mandate and irrespective of the violation of specific rights of individual data subjects (see [[OGH - 6Ob77/20x|here]]). Until this decision is delivered by the CJEU the present procedure is put on hold.<br />
== Comment ==<br />
For further information on the corresponding preliminary reference see [[OGH - 6Ob77/20x|here]].<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
<br />
court<br />
Supreme Court<br />
<br />
<br />
Decision date<br />
08/06/2021<br />
<br />
<br />
Business number<br />
6Ob48 / 21h<br />
<br />
<br />
head<br />
The Supreme Court, as a court of appeal by the Senate President Hon.-Prof. Dr. Gitschthaler as chairman, the court councilors Univ.-Prof. Dr. Kodek and Dr. Nowotny, the court councilor Dr. Faber and Hofrat Mag. Pertmayr as further judges in the case of the plaintiff, Verein für Konsumenteninformation, 1060 Vienna, Linke Wienzeile 18, represented by Kosesnik-Wehrle & Langer Rechtsanwälte KG in Vienna, against the defendant U ***** GmbH , *****, represented by Pressl Endl Heinrich Bamberger Rechtsanwälte GmbH in Salzburg, for omission and publication of the judgment, on the appeals by both parties against the judgment of the Linz Higher Regional Court as the court of appeal of November 26, 2020, GZ 3 R 128 / 20v-15 , with which the judgment of the Salzburg Regional Court of August 14, 2020, GZ 4 Cg 67 / 19w-9, was partially amended, rightly recognized in a closed session and decided:<br />
<br />
<br />
Saying<br />
<br />
The appeal of the defendant, insofar as it is against the cease-and-desist clause 1.1. of the appeal judgment (Clause 1), not given.<br />
Insofar as it is directed against the omission requirement item 2 of the appeal judgment (business practice 1), the appeal of the defendant will be followed and the dismissing decision of the first court (there item 3.1. Of the judgment) will be restored.<br />
With regard to point 4 of the judgment of the appellate court, the proceedings will be interrupted until the decision of the European Court of Justice on the request for a preliminary ruling made by the Supreme Court on November 25, 2020 re 6 Ob 77 / 20x. Once the preliminary ruling has been received, the proceedings will be continued ex officio.<br />
The decision on the request of the plaintiff to authorize it to publish the plaintiff's verdict, as well as the request of the defendant to authorize it to publish the dismissing verdict, are reserved for the final decision.<br />
The decision on the costs of the appeal proceedings is reserved for the final decision.<br />
<br />
<br />
text<br />
Reasons for the decision:<br />
[1] The plaintiff is an association entitled to sue within the meaning of § 29 KSchG.<br />
[2] The defendant is a mail order company operating throughout Austria, which continuously concludes contracts with consumers. It bases its contracts on general terms and conditions, which include the following clauses:<br />
"9. Payment:<br />
What payment options do you have for your order?<br />
9.1. Purchase on invoice:<br />
In the case of purchase on account (payment by bank transfer), the invoice amount is due within 14 days of receipt of the goods.<br />
9.2. Partial payment:<br />
With us, you have the option of making partial payments if you have the appropriate creditworthiness and an order value of up to EUR 4,000.00. You can find more information, in particular about the amount and number of installments, at www.u *****. At / part-payment.<br />
In the case of an advance payment, the amount of the agreed installments is reduced and the total burden is lower. The balance remaining after the advance payment can be paid in partial amounts. For the 1st month after purchase, no installment costs are charged. From the 2nd month onwards, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account settlement, this results in an effective interest rate of 21.7% p.a. By sending you an account statement by post or email, we will inform you about your current account balance on a monthly basis. You are deemed to have approved the account balance if you do not object to it within two months of receipt.<br />
9.3. Credit card:<br />
You can pay with us online by credit card. Simply select credit card under payment method. We accept Mastercard, Visa, Diners Club and Discover (no prepaid credit cards). In addition to the credit card company, the card number and the period of validity, we need the check digit of your credit card. The check digit is a three-digit number on the back of your credit card that ensures payment security on the Internet.<br />
9.4. Advance payment:<br />
We reserve the right to make the delivery of the goods dependent on an advance payment.<br />
9.5. PayPal:<br />
[...] "<br />
[3] Via the link “www.u *****. At / part-payment” you get to an installment calculator. There, the customer can enter the term of the installment payments within a specified range. The maximum term is 48 months, the minimum monthly rate is EUR 10. When you enter the item price and the desired term, the system calculates the installment surcharge, the monthly minimum installment, the amount of the last installment, the final installment price and indicates the effective annual interest rate.<br />
[4] The information on the credit check can be found in the data protection information of the defendant (www.u *****. At / datenschutz), which has the following content in excerpts:<br />
"3.2.2.2. Credit checks:<br />
If you have selected a so-called insecure payment method (purchase on account or installment purchase) when placing an order, the following applies:<br />
U ***** and other mail order companies of the O ***** - Group basically give their customers the opportunity to purchase goods using unsafe payment methods (e.g. purchase on account, purchase on finance).<br />
[...]<br />
Companies that generally allow their customers to use unsafe payment methods have a legitimate interest in protecting themselves as well as possible from the occurrence of payment defaults. This is done, among other things, by checking the creditworthiness of the customer before granting the option of using insecure payment methods. As part of this check, we are entitled to ask U ***** GmbH whether they have received negative credit information about the respective customers from the other mail-order companies of the O ***** Group. Furthermore, we are entitled to transmit negative creditworthiness information on the respective customers to U ***** GmbH, which in turn can provide information to the above-mentioned other mail-order companies of the O ***** Group before these other mail-order companies give the customer the option of using unsafe payment methods.<br />
The creditworthiness information is information about outstanding payment claims and information from which there is a direct risk of payment default (e.g. insolvency, debt counseling, deferral due to insolvency). Before we transmit negative information about outstanding payment claims to U ***** GmbH, the customers concerned are informed of the possibility of transmission on a reminder. We are also entitled to transmit information about extremely atypical order processes (e.g. simultaneous ordering of a large number of goods to the same address using different customer accounts) to U ***** GmbH and to request such information from U ***** GmbH. This is to avoid payment defaults and to protect our customers from misuse of their accounts or their identity.<br />
In cases in which a customer wants to order with an insecure method of payment, we are entitled to use information received as part of the order to calculate a probability of default (internal scoring). The calculation of the failure probability by means of the internal scoring is based on a recognized mathematical statistical procedure. The data used as part of the internal scoring result in particular from a combination of the following data categories (not exhaustive): address data, age, desired payment conditions, order method and product range groups. As part of the internal scoring, only data that the customer has given us is used. On the basis of the named data categories, conclusions can be drawn about the probability of default on payment due to the mathematical statistical procedure used. For example, a certain place of residence of the person placing the order, combined with a certain category of goods, can lead to an increased probability of default and thus a restriction on the payment method. There is no payment type restriction based solely on the place of residence of the person placing the order. In addition, it has been statistically proven, for example, that there is a lower risk of payment default when using a chargeable e-mail provider than is the case when using a free provider. As part of the examination of whether an unsafe method of payment (installment / purchase on account) can be granted, we are also entitled to obtain credit information about you from an external credit agency. We work with the following credit agency C ***** GmbH, *****.<br />
For the purpose of calling up creditworthiness information, the following data is transmitted to the external credit agency: first name, last name, postal address, date of birth and, in the event of default in payment, the outstanding balance. The data mentioned can also be transmitted to C ***** GmbH, ***** for the purpose of personal and address validation and for fraud prevention (see also the following point).<br />
As part of the credit check, we can use an automated process to decide whether you will be given the desired unsecure payment method (installment / purchase on account). For example, when a negative credit report is sent by a credit agency or when an insufficient score is calculated as part of the internal scoring, the desired payment method can be automatically rejected. You can assert the right to us to manually review the automated decision. In addition, you have the right to express your own point of view and the right to contest the decision.<br />
The processing of your data as part of the credit check is based on Article 6 Paragraph 1b GDPR and Article 6 Paragraph 1f GDPR. We basically have a legitimate interest in carrying out a credit check when you select an unsafe payment method (installment / purchase on account). "<br />
[5] Under the heading “Data protection notice” and the text “Information on payment method restrictions: You would like to know why you cannot use all payment methods with us? We will be happy to provide you with information here. ", The customer arrives at a link with the title" Request information ".<br />
[6] Over 90% of the orders placed with the defendant are made online, the remaining 10% by telephone. The average order value is EUR 650.<br />
[7] In the case of an online order, the payment method "purchase on account" is preset. If a customer wants partial payment, he has to change the payment option himself.<br />
[8] In the case of an initial order, the defendant limits the order value to EUR 500 in the case of an installment purchase or purchase on account; this limit is gradually increased for subsequent orders if there have been no defaults in payment.<br />
[9] In the case of a new customer who orders on open account or partial payment, an inquiry is automatically made to the credit agency with the data provided by the customer. If the customer is unknown there, the defendant rejects a business relationship with partial payment or on account and notifies the customer that he would be supplied via credit card or PayPal. If the customer is known, there are three ways of scoring with three different colors. If the color is red, the unsecure payment method is also rejected, if it is yellow, an employee of the defendant checks, and if it is green, the order is accepted. In the case of a yellow scoring, the employee himself inspects the database and decides whether and, if so, under what conditions the order will be released.<br />
[10] If a customer makes use of the option of requesting information, further information is obtained, for example the request for proof of income.<br />
[11] The plaintiff association desires - insofar as it is still the subject of the appeal proceedings - to oblige the defendant to refrain from using the following clauses in general terms and conditions or contract forms in business dealings with consumers:<br />
(Clause 1 = point 1.1. Of the judgment of the court of appeal): "From the second month onwards, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account offsetting, this results in an effective interest rate of 21.7% p.a. "<br />
[12] Furthermore, he seeks to oblige the defendant in accordance with § 28a KSchG to refrain from doing business with consumers in connection with consumer credit relationships,<br />
(Business practice 1 = point 2. of the judgment of the court of appeal): "To agree on partial payment purchases and / or partial payment options with a total credit of at least EUR 200 to pay consumers for goods purchased without checking the creditworthiness of the consumer on the basis of sufficient information, in particular without To obtain information on the income situation and / or financial situation of these consumers; ”as well as<br />
(Business practice 2 = point 4 of the judgment of the appellate court): "to carry out the credit check when lending on the basis of a scoring, without granting the consumer the right to express his own point of view and to contest his classification."<br />
[13] Furthermore, the plaintiff association applied for authorization to publish the judgment.<br />
[14] The defendant requested that the action be dismissed as well as authorization to publish the judgment dismissing the complaint, and, in the event that the action was upheld, the setting of a performance period of at least six months.<br />
[15] The first court granted the cease and desist and publication requests with regard to clauses 1 and 2 without setting a performance deadline and dismissed the further claim and the counter-publication request of the defendant.<br />
[16] The appeals court partially followed the appeals of both parties. It confirmed the admission of the action with regard to clauses 1 and 2, whereby it set a six-month performance period, and changed the judgment of the first court with regard to business practice 1 in the plaintiff's sense, also with a six-month performance period.<br />
[17] It allowed the appeal because it was partly about clauses or business practices that had not yet been assessed by the Supreme Court and that were important for a larger number of consumers.<br />
[18] In their opposing revisions, the parties in dispute request the amendment of the decision of the appellate court in the sense of a complete lodging of the complaint or a dismissal of the complaint, whereby the defendant does not contest the approval of the complaint with regard to the omission of clause 2 (point 1.2. Of the appeal judgment). In the alternative, the defendant files an application for annulment.<br />
[19] The plaintiff requests that the defendant's appeal be dismissed or, in the alternative, that it should not be followed. The defendant requests that the plaintiff's appeal be disregarded.<br />
[20] The revisions of both parties are permissible. The defendant's revision is partly justified.<br />
[21] The submissions of the parties as well as the reasons for the decision of the lower courts are presented when dealing with the disputed clause and the disputed business practices.<br />
<br />
<br />
Legal assessment<br />
[22] A. On the defendant's appeal:<br />
[23] The defendant's revision is permissible because the requirements for the credit check in accordance with Section 7 (1) VKrG require clarification. It is partially justified.<br />
[24] Regarding clause 1: "From the second month, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account offsetting, this results in an effective interest rate of 21.7% p.a. "<br />
[25] The plaintiff complains that the clause is not transparent because it is not pointed out that the defendant derives the right to charge compound interest during the year from the monthly capitalization. The clause is also grossly disadvantageous within the meaning of Section 879 Paragraph 3 ABGB, because the accounting period is shortened to one month in deviation from Section 355 Paragraph 2 UGB. The amount of the effective interest rate is grossly disadvantageous and violates § 934 ABGB. In addition, it is not evident that the effective interest rate results from the compound interest effect.<br />
[26] The defendant denies the claims. There was no lack of transparency because the effective annual interest rate was stated and it was clearly recognizable that the difference to the annual interest rate could only result from the compound interest effect (and not from the inclusion of processing fees or the like).<br />
[27] The lower courts forbade the clause because it violated the transparency requirement of Section 6 (3) KSchG. The creditor of a monetary claim can only demand compound interest according to Section 1000 (2) sentence 1 ABGB if the parties have expressly agreed to this. According to the case law, the agreement of the capitalization of interest during the year is not transparent if the user of the terms and conditions does not point out the resulting compound interest effect. The lack of transparency is also not eliminated by listing the monthly interest rate, the annual interest rate and the effective annual interest rate or by using the rate calculator, because the annual interest rate can also result from other cost factors such as commissions, costs of contract establishment, processing fees, etc., so that the average consumer can choose the difference between the annual interest rate and the effective annual interest rate does not have to infer the agreement of compound interest.<br />
[28] The revision is not justified.<br />
[29] 1.1. According to Section 1000 (2) sentence 1 ABGB, compound interest is due - as the appellate court has already correctly pointed out - only in the case of an "express" agreement between the parties. It is necessary that the compound interest is conditional, for which sufficiently clear conclusive explanations are sufficient (Perner in Schwimann / Kodek, ABGB4 § 1000 Rz 17 and Fn 50; Ertl in Fenyves / Kerschner / Vonkilch, Klang³ § 1000 ABGB Rz 15; Dullinger in Artmann , UGB³ § 355 margin no. 3). The agreement of compound interest in the General Terms and Conditions of the defendant must also meet the requirements of Section 6 (3) KSchG.<br />
[30] 1.2. According to the established case law of the Supreme Court, the reference to an account closing during the year or the reference to the fact that interest is "calculated, capitalized and charged" during the year is not sufficient to make the consumer realize that compound interest should also be charged. Such clauses were therefore regularly judged to be non-transparent within the meaning of Section 6 (3) KSchG (1 Ob 124 / 18v [Clause 17]; 9 Ob 11 / 18k [Clause 6]; 8 Ob 128 / 17g [Clauses 7 and 8]; 10 Ob 31 / 16f [Clause c]; 4 Ob 179 / 02f [Clause Z 38 Paragraph 1]; see RS0117273).<br />
[31] 1.3. The present clause does not expressly provide for an account closing during the year, but rather the "current account settlement" of the partial payment costs, which are specified as 1.65% per month (19.8% p.a.) of the outstanding balance; The effective interest rate of 21.7% p.a. resulting from "current account settlement" is also given.<br />
[32] 2.1. The current account agreement is regulated in Section 355 of the UGB. Section 355 (1) of the Austrian Commercial Code defines the current account agreement as an agreement with an entrepreneur with whom someone has a business relationship, that the mutual claims and services arising from the connection, plus interest, are invoiced and at regular intervals by offsetting and determining the amount for one or the other the other part of the resulting surplus will be compensated. According to Section 355, Paragraph 4, Clause 4 of the Austrian Commercial Code, anyone who is entitled to a surplus when closing the accounts can demand compound interest.<br />
[33] 2.2. If one or more features of the current account defined by law in Section 355 (1) UGB are missing, such as the entrepreneurial status of a part or the permanent business relationship, one speaks of an improper current account agreement to which the current account law can apply analogously (1 Ob 83 / 01i). For example, the analogous application of § 355 UGB was affirmed for the case of an agreement between non-entrepreneurs (1 Ob 83 / 01i; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 4).<br />
[34] 2.3. On the basis of the regulation of § 1000 Paragraph 2 Sentence 1 ABGB, it is assumed when an improper current account relationship is agreed that compound interest is only due if expressly agreed (within the meaning of § 1000 Paragraph 2 Sentence 1 ABGB) (cf. 1 Ob 83 / 01i; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 4; aM Dullinger in Artmann, UGB³ § 355 Rz 3).<br />
[35] 2.4. The current account must be based on a business relationship established for a certain period of time, which means that the repeated conclusion of transactions can be expected (Dullinger in Artmann, UGB³ § 355 Rz 4; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 5) . Whether a single purchase in installments can already meet this requirement (critical for assessing an installment credit as a current account relationship Dullinger in Artmann, UGB³ § 355 Rz 4) or whether the (qualified) business relationship required by § 355 (1) UGB is missing when concluding a single purchase in installments, so that there is at most an "improper" current account relationship does not have to be conclusively assessed in the present case:<br />
[36] 3.1. Because even under the assumption that the agreement of a "current account settlement" in the case of a hire purchase would already be directly subject to § 355 UGB, this would not change the fact that the clause to be assessed here is not clear and understandable for the consumer regarding the accrual of compound interest within the meaning of § 6 Paragraph 3 of the KSchG. For the economically inexperienced average customer of a mail order company, neither the use of the term "current account" nor the indication of the different interest rates results in the fact that a periodic determination of the outstanding invoice amount including capitalization of the "partial payment costs" and their (renewed) Interest takes place. This does not result from the difference between the annual interest rate and the effective annual interest rate disclosed in the clause. The appellate court has already correctly stated that such a difference can also have reasons other than the offsetting of compound interest (Section 510 (3) ZPO). In addition, the duration of the billing period of one month can only be deduced from the specification of a monthly interest rate for the installment costs. The fact that with the regulation of the "current account settlement" in truth only the monthly settlement of compound interest is to be effected is therefore not generally recognizable for the average consumer. Insofar as the revision argues that the effective annual interest rate can only exceed the stated annual interest rate because of the compound interest effect, because no other costs would flow into it, this circumstance is not immediately apparent to the consumer from the disputed clause.<br />
[37] 3.2. If it is further argued in the revision that the financial burden is easily recognizable for the consumer through the indication of the effective annual interest rate and through the instrument of the rate calculator, nothing can be gained from this for the defendant. If the effective agreement of compound interest is missing - due to a violation of the transparency requirement of § 6 Abs 3 KSchG - the defendant is not entitled to the specified effective interest rate and the total amount determined by the installment calculator.<br />
[38] The defendant's appeal against the prohibition of Clause 1 is therefore not justified.<br />
<br />
[39] Regarding business practice 1: The defendant's business practice of agreeing partial payment purchases and / or partial payment options with a total credit of at least EUR 200 to pay for the goods purchased by consumers from her is objected to, without the creditworthiness of the consumer based on sufficient To check information, in particular without obtaining information on the income situation and / or financial situation of these consumers.<br />
[40] The plaintiff sees a systematic violation of the obligation to carry out a credit check according to § 7 VKrG in the fact that the defendant does not collect any information about the consumer's income and other liabilities in the case of installment transactions. In response to the plaintiff's letter of warning, the defendant justified its high interest rate with the fact that no collateral had to be provided for the loans it had granted and no evidence of employment or regular cash inflow had to be provided. The database query and the analysis of previous purchasing behavior did not allow any conclusions to be drawn about income and no prognostic decision as to whether the consumer would be able to meet his payment obligations in full. The database query can be used to obtain information about the consumer's income and assets, but it cannot replace it.<br />
[41] The defendant counters this by saying that obtaining information from a database, specifically by making an inquiry to the specified credit bureau, fulfills the requirements of Section 7 of the VKrG. In any case, the entrepreneur does not have to approach the consumer. The scope of the investigation obligations depends on the individual case and is lower in the case of small goods loans than in the case of typical bank loans. The defendant allows partial payments for purchase prices between EUR 50 and EUR 4,000 with a term of no more than four years; the majority of the consumer loans granted are around the average amount of EUR 650.<br />
[42] The first court dismissed the request for an injunction aimed at the omission of business practice 1.<br />
[43] The appeals court granted the injunction. Legally, it discussed that the lender had to carry out the credit check on the basis of sufficient information. In order to assess the creditworthiness, the current income and liquid funds of the consumer should first be used and compared with the costs of the loan and the current repayment; a database query should only be carried out if this was additionally necessary.<br />
[44] In its appeal, the defendant asserts that there is no provision for prioritizing the procurement of information and that the credit check can be designed flexibly. Consumers' income and financial situation always show certain fluctuations and uncertainties, which have an impact especially in the case of low monthly payments, so that the information to be obtained from the consumer must be higher, the lower the loan amount. In such cases, however, obtaining detailed information is unusual and does not provide a more reliable statement about creditworthiness than the credit information obtained and the observation of ongoing consumer behavior. Obtaining information is therefore sufficient for small goods loans.<br />
[45] The appeal is justified.<br />
[46] 1.1. Anyone who violates a legal requirement or prohibition in business dealings with consumers in connection with consumer credit relationships and thereby affects the general interests of consumers can be sued for an injunction without prejudice to Section 28 (1) KSchG (Section 28a (1) KSchG).<br />
[47] 1.2. Section 28a KSchG extends the scope of representative actions to include illegal business practices by entrepreneurs in business dealings with consumers, limited to the contractual relationships and non-contractual legal relationships specified in Section 28a (1) KSchG (10 Ob 13 / 17k; 7 Ob 168 / 17g; Kathrein / Schoditsch in KBB6 § 28a KSchG margin no.1). The behavior complained of must also be of importance for a large number of contracts or non-contractual legal relationships, which is especially the case for illegal behavior in mass business (RS0121961). This is to effectively prevent any behavior found to be inadmissible under the law that has developed into a practice of the respective entrepreneur (6 Ob 228 / 16x).<br />
[48] 1.3. The right to cease and desist - including that according to § 28a KSchG (cf. 10 Ob 13 / 17k; 4 Ob 179 / 18d [Business Practice 2], etc.) - is substantiated by two elements: an obligation to cease and desist and the risk that this obligation to cease and desist is violated. If one of these elements is missing, there is no right to cease and desist (RS0037660).<br />
[49] 2.1. The subject of the claim for action and the verdict is always only the specific infringing act (RS0037478 [T2, T5]). However, it is permissible to describe the inadmissible behavior in a generalized way and to clarify it by means of "especially" listed individual bans. Even with such a more general version of the injunction, the verdict must cover the core of the infringing act (4 Ob 206 / 19a; 9 Ob 57 / 20b).<br />
[50] The claim is to be understood as it is meant by the plaintiff in conjunction with the claimant's account (RS0037440).<br />
[51] 2.2. The core of the business practice 1 complained of by the plaintiff consists in giving consumers the option of partial payment without obtaining information on income “and / or” assets for the purpose of checking creditworthiness. After the request for a judgment and the submission of the action in its entirety, the plaintiff association seeks a ban that is not restricted to specific groups of cases or the existence of specific circumstances; Rather, he takes the position that the information mentioned must always be obtained for the partial payment transactions offered by the defendant.<br />
[52] The defendant did not claim that it obtained information on the income situation or the assets of its prospective buyers before granting a partial payment option. Only when a consumer requests information about the reasons why he cannot use all payment methods from the defendant (i.e. after rejecting an “unsafe” payment method requested by the consumer) does the defendant request proof of income, for example.<br />
[53] 2.3. It must therefore be examined whether the defendant, by systematically granting consumers the option to pay in installments without obtaining information about their income and / or assets, violates a legal prohibition, specifically § 7 VKrG. The decisive factor is whether the obligation can be derived from Section 7 VKrG to always provide information about the income and / or the assets of the defendant in the case of partial payment transactions, as offered by the defendant, from a credited purchase price of EUR 200 (see Section 4 (1) VKrG) To catch up with prospective buyers.<br />
[54] It should be made clear in this context that the injunction does not simply cover the execution of the credit check without obtaining information about the income and / or assets of the prospective buyers, but only the procedure of granting consumers partial payment options without having obtained such information. The practice of refusing to allow partial payment without obtaining information about the income and / or asset situation is therefore not objected to.<br />
[55] 3.1. According to § 7 VKrG applicable to hire purchase contracts in accordance with § 25 Paragraph 1 VKrG (see Foglar-Deinhardstein in Fenyves / Kerschner / Vonkilch, Klang³ § 25 VKrG margin no. 69), the lender must check the creditworthiness of the consumer using sufficient information before concluding the credit agreement, which he - if necessary - demands from the consumer; if necessary, he must also obtain information from an available database (Section 7 (1) VKrG). If this check reveals considerable doubts about the ability of the consumer to fully fulfill his obligations under the credit agreement, the lender must inform the consumer of these concerns about his creditworthiness (Section 7 (2) VKrG).<br />
[56] With this, the obligation of the lender to assess the creditworthiness of the consumer in accordance with Article 8 Paragraph 1 of the Consumer Credit Directive (Directive 2008/48 / EC on consumer credit agreements) was implemented in Austrian law. According to Article 8 (1) of the Consumer Credit Directive, the member states ensure that, before concluding the credit agreement, the lender assesses the creditworthiness of the consumer on the basis of sufficient information that he may obtain from the consumer and, if necessary, on the basis of information from the database in question. Those Member States that legally oblige lenders to assess creditworthiness on the basis of a query in a corresponding database can retain this requirement.<br />
[57] 3.2. The obligation of the lender to assess the creditworthiness of the consumer in accordance with Article 8 Paragraph 1 of the Consumer Credit Directive is intended to protect consumers from irresponsible granting of credit that exceeds their financial capabilities and can lead to their insolvency (ECJ April 27, 2014, C- 565/12, LCL Le Crédit Lyonnais SA, ECLI: EU: C: 2014: 190, margin no. 42 f). In addition, the credit check prescribed by Union law is intended to serve the general interest in a functioning credit industry in the internal market (Recital 6, 7 Consumer Credit Directive; Pesek in Klang³ § 7 VKrG margin no. 1).<br />
[58] 3.3. According to Section 7 (1) VKrG and Article 8 (1) Consumer Credit Directive, the lender must determine the facts that are relevant for assessing creditworthiness (Pesek in Klang³, Section 7, margin no.27). As a means of information, in Section 7 (1) VKrG as well as in Art 8 Consumer Credit Directive, the gathering of information from the consumer and the gathering of information from an available database are mentioned.<br />
[59] The creditworthiness is not to be understood as the creditworthiness in the banking sense. Rather, it is about the assessment of whether the consumer will probably be able to meet his payment obligations from the loan agreement in full, without being pushed to the edge of his economic existence (ExplanationRV 650 BlgNR 24. GP 17; Pesek in Klang³ § 7 VKrG Rz 6 f; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law [2010] § 7 VKrG Rz 6 f; see Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 4 ff ).<br />
[60] 4.1. What content the information must have in order to be regarded as sufficient within the meaning of Section 7 (1) VKrG is not described in more detail by law.<br />
[61] 4.2. In the literature it is consistently stated that the regular (net) income of the consumer and his other liquid assets must be taken into account in the credit check (Pesek in Klang³ § 7 VKrG margin no.10; Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG margin no 9; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG margin no. 9; Dehn in Apathy / Iro / Koziol, Austrian bank contract law IV² [2012] margin no. 2/54). However, the inclusion of non-liquid assets in the creditworthiness check is disputed (for: Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 9; Pesek in Klang³ § 7 VKrG Rz 12; on the other hand: Wendehorst, What is creditworthiness? In Blaschek / Habersberger , Worthy of a loan? 29 f; Foglar-Deinhardstein, The credit check for consumer credit [2013] margin nos. 237 ff; Weissel, consumer credit: Inquiry obligations of the bank, RdW 2014, 176, 179; ders, The protection provided by § 7 VKrG under civil law: legal beneficence oder Irrweg, ZFR 2012, 208, 210; differentiating [between smaller consumer loans and loans for the creation of housing, which were also covered by § 7 VKrG up to the entry into force of the HIKrG on March 21, 2016] Zöchling-Jud in Wendehorst / Zöchling-Jud , Consumer credit law [2010] § 7 VKrG margin no. 10; Dehn in Apathy / Iro / Koziol, Austrian bank contract law IV² margin no. 2/55). The consumer's income and cash and cash equivalents as well as - depending on the legal opinion represented - other assets are to be compared with the regular burdens of the consumer (Pesek in Klang³ § 7 VKrG Rz 17; Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 10, 12; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG margin no.12).<br />
[62] 4.3. It is agreed that the extent of the lender's duty to investigate depends on the circumstances of the individual case, with regard to the amount of the loan value disbursed, the duration of the loan, the informative value and credibility of the information provided by the consumer as well as the existence or duration and intensity the business relationship between the lender and the consumer is important (Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 14; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG Rz 14; 8 Ob 76 / 16h).<br />
[63] 4.4. In this sense, Leupold / Ramharter argue for small (commodity) loans that the lender's exploration obligations are limited; In this context, they refer to information from databases and reject any further credit check that is incompatible with the goal of efficient markets (Leupold / Ramharter, The violation of the duty to warn of poor creditworthiness under the Consumer Credit Act, ÖBA 2011, 469, 486).<br />
[64] 4.5. The content of the "sufficient" information according to Section 7 (1) VKrG must also be specified depending on the circumstances of the individual case. Only in this way, with the help of the statutory general clause, can the legal obligations for the wide range of consumer loans covered by Section 7 (1) VKrG - which includes financial aid within the meaning of Section 25 (1) VKrG, up to large bank loans - be made possible.<br />
[65] 4.6. This interpretation is in line with the case law of the ECJ on Article 8 (1) of the Consumer Credit Directive.<br />
[66] In the case of CA Consumer Finance SA, the ECJ made it clear that the directive does not conclusively specify the information on the basis of which the lender has to assess the creditworthiness of the consumer, nor does it specify in more detail whether and how this information is to be checked . Rather, the lender has a margin of discretion when it comes to whether the information he has is sufficient to certify the creditworthiness of the loan applicant and whether he has to check this against other criteria. The lender must therefore assess in each case, taking into account the circumstances of the individual case, whether the information available to him by the loan applicant is relevant and sufficient. Whether the information is sufficient can vary depending on the circumstances of the conclusion of the credit agreement, the personal situation of the consumer or the credit volume provided for in the contract (ECJ December 18, 2014, C-449/13, CA Consumer Finance SA, ECLI: EU : C: 2014: 2464, margin no.36 f).<br />
[67] 4.7. The lender is therefore not required to obtain information on the income or financial situation of the consumer or on both aspects in addition to obtaining information from an external credit bureau in the case of small goods loans.<br />
[68] 5.1. According to the findings, the defendant obtains information from an external credit agency before granting partial payment options to new customers and limits the loan amount to EUR 500; for existing customers, it uses any negative credit information available in the group of companies. In addition, she uses the amount of the loan for her decision-making; In addition, there are other factors that are not related to the creditworthiness within the meaning of Section 7 (1) VKrG, such as the residential address.<br />
[69] 5.2. Particularly in the case of the small loans of goods from a loan amount of EUR 200 or more that are covered by the injunction, the consideration of existing negative creditworthiness information, as can be derived from the information available in the group of companies as well as from the information provided by the credit bureau, does not appear to be entirely unsuitable for credit checks. This is also not claimed by the plaintiff association. Especially in the case of very low loan amounts (from EUR 200) it is not evident that additional knowledge of the net income (at least, unless it is associated with a detailed survey of all, even minor financial burdens) necessarily enables a more reliable assessment than the query whether due to existing “negative creditworthiness information”, the collectability of even very small loan amounts must be called into question from the outset. The same considerations apply to the need to identify the consumer's realizable assets.<br />
[70] 5.3. Whether the business practice objected to by the plaintiff association, when granting partial payment options in addition to obtaining information from an external credit agency, not to obtain information about the income and / or asset situation of consumers, violates § 7 VKrG, cannot be answered in general, but depends on the circumstances of the case.<br />
[71] It cannot be ruled out that the partial payment options granted by the defendant exist in which it is necessary to obtain information about the income situation or the financial situation of the consumer or about both. However, the request for an injunction does not focus on more specific cases, but aims to forbid the defendant, in all cases, from agreeing on partial payment purchases or partial payment options with consumers with a total credit of at least EUR 200, without information on the income situation and / or their financial position to catch up.<br />
[72] However, this request is not justified because of the discretion granted to the lender in the credit check. The revision is therefore justified insofar as it is directed against the prohibition of the objected business practice 1. The judgment of the first court had to be restored to this extent.<br />
<br />
[73] B. On the plaintiff's appeal:<br />
[74] The appeal by the plaintiff is permissible because the active legitimation of the plaintiff association according to §§ 28a, 29 KSchG to assert violations of the GDPR has not been conclusively clarified.<br />
[75] Regarding the performance period (Clause 1):<br />
[76] The appellate court set the deadline for the omission of the use and the appeal to the clause 1 because of the necessary organizational measures for the EDP conversion with six months. Such a necessity is understandable in the present case, in which the inadmissible clause also affects the settlement of all ongoing partial payment contracts (see RS0041265 [T12]). The performance deadline set by the court of appeal is therefore not objectionable in the present individual case.<br />
[77] Regarding business practice 2:<br />
[78] The defendant's business practice of carrying out the credit check when lending is based on a scoring without giving the consumer the right to express his own point of view and contest his classification is objected to.<br />
[79] With this request for an injunction, the plaintiff did not object to the "internal scoring" practiced by the defendant, but to the decision based on the classification made by the external credit agency. The procedure violates Art 22 GDPR for reasons explained in detail.<br />
[80] The defendant objected that the plaintiff association was not granted any active legitimation regarding data protection information obligations. The alleged violation of Art 22 GDPR did not exist.<br />
[81] The first court dismissed the claim because the defendant's approach was in accordance with Section 7 VKrG and Article 22 GDPR.<br />
[82] The appellate court confirmed the dismissal of the action on the grounds that the plaintiff association lacks the active legitimation to assert data protection violations.<br />
[83] As a significant legal issue, the appeal claims that the appellate court disregarded the fact that the systematic violation of Art 22 GDPR occurred in connection with consumer credit relationships, so that the collective action according to § 28a KSchG was opened.<br />
[84] 1. In proceedings 6 Ob 77 / 20x, the Supreme Court submitted the following question to the European Court of Justice for a preliminary ruling (RS0133358):<br />
Are the regulations in Chapter VIII, in particular in Art. 80 Paragraphs 1 and 2 and Art. 84 Paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons during processing personal data, on the free movement of data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation, OJ L 119/1 of May 4, 2016, p. 1; hereinafter "GDPR") contrary to national regulations that - in addition to the powers of intervention of the supervisory authorities responsible for monitoring and enforcement of the regulation and the legal protection options of the data subjects - on the one hand, to grant competitors and, on the other hand, the authority to associations, institutions and chambers authorized under national law, regardless of the violation of specific rights of individual data subjects, because of violations of the GDPR and without the instruction of a person concerned against the infringer by way of an action before the civil courts under the Ges Prohibition of engaging in unfair business practices or violating consumer protection law or prohibiting the use of ineffective general terms and conditions?<br />
[85] 2.1. The plaintiff in the present proceedings is the same association authorized to take legal action under § 29 KSchG who intervenes on 6 Ob 77 / 20x - there based on § 28 KSchG. In the present proceedings, based on § 28a KSchG, he seeks the omission of a business practice used by the defendant in connection with consumer credit relationships, which violates the GDPR.<br />
[86] 2.2. The question of whether the plaintiff is legitimized to assert violations of the GDPR by way of a representative action according to § 29 KSchG is also relevant for the decision of the present legal dispute, because the question of whether the Union legislature with the legal protection instruments provided for in the GDPR is possibly a wanted to create a final regulation for the enforcement of data protection violations, also for lawsuits against business practices that are in connection with the legal relationships mentioned in § 28a KSchG, is essential for the decision.<br />
[87] For example, the Supreme Court referred its request for a preliminary ruling on 6 Ob 77 / 20x also to the representative action "from the point of view of a violation of a consumer protection law" - i.e. in accordance with § 28a KSchG - (cf. . 2020, I ZR 186/17 [Rz 47, 57 ff]).<br />
[88] 3. The Supreme Court of Justice has to assume a general effect of the preliminary ruling of the European Court of Justice and to apply this also for other than the immediate case. For reasons of process economy, the present procedure must therefore be interrupted (RS0110583).<br />
<br />
[89] C. Regarding the publication requests:<br />
[90] Because of the interruption of the proceedings with regard to the request for an injunction regarding business practice 2 (violation of the GDPR), the requests for publication made by both parties cannot be conclusively decided. A partial judgment is not appropriate here because further publication after the final judgment is available would entail additional costs that would not be incurred in the case of joint publication (Ciresa, Handbuch der Judgment Publication4 [2017] margin no. 4.28; RS0079937 [T1]).<br />
<br />
[91] D. Decision on costs:<br />
[92] The reservation of costs is based on Section 52 (4) ZPO.<br />
<br />
<br />
European Case Law Identifier<br />
ECLI: AT: OGH0002: 2021: 0060OB00048.21H.0806.000<br />
<br />
<br />
</pre></div>JShttps://gdprhub.eu/index.php?title=OGH_-_6Ob48/21h&diff=20310OGH - 6Ob48/21h2021-10-01T11:56:56Z<p>JS: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=OGH<br />
|Court_With_Country=OGH (Austria)<br />
<br />
|Case_Number_Name=6Ob48/21h<br />
|ECLI=ECLI:AT:OGH0002:2021:0060OB00048.21H.0806.000<br />
<br />
|Original_Source_Name_1=RIS<br />
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=4530863f-3472-44c4-9677-4f6b4edaecdb&Position=1&Abfrage=Justiz&Gericht=&Rechtssatznummer=&Rechtssatz=&Fundstelle=&AenderungenSeit=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=DSGVO&Dokumentnummer=JJT_20210806_OGH0002_0060OB00048_21H0000_000<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=06.08.2021<br />
|Date_Published=22.09.2021<br />
|Year=2021<br />
<br />
|GDPR_Article_1=Article 80 GDPR<br />
|GDPR_Article_Link_1=Article 80 GDPR<br />
<br />
<br />
|National_Law_Name_1=§ 28a KSchG<br />
|National_Law_Link_1=https://www.jusline.at/gesetz/kschg/paragraf/28a<br />
|National_Law_Name_2=§ 29 KSchG<br />
|National_Law_Link_2=https://www.jusline.at/gesetz/kschg/paragraf/29<br />
<br />
|Party_Name_1=Verein für Konsumenten Information (VKI)<br />
|Party_Link_1=https://verbraucherrecht.at/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Pending appeal<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=[[janniks|https://gdprhub.eu/index.php?title=User:JS]]<br />
}}<br />
<br />
The Austrian Supreme Court decided to put a case on hold until the CJEU determined whether the GDPR precludes national legislation that grants consumer organisations the legitimacy to take legal action without a mandate and a violation of the rights of a particular individual.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The plaintiff (the Austrian association Verein für Konsumenten Information) sued the defendant (an online shopping platform operating throughout Austria) over several business practices, terms and conditions they found in violation with consumer protection law and the GDPR. More precisely, the association criticized several non-transparent contractual clauses on interests and creditworthiness checks as well as the defendant making decisions based on classifications by external credit scoring agencies in violation of [[Article 22 GDPR|Article 22 GDPR]].<br />
<br />
The defendant argued that the association had no right to take legal action under applicable data protection law. In this regard, the appealing court already decided that the association lacks the legitimacy to assert data protection violations.<br />
<br />
=== Holding ===<br />
The OGH decided that the previous court failed to take into account that the systematic infringement of [[Article 22 GDPR|Article 22 GDPR]] in connection with consumer credit ratings could in fact allow the association to take legal action under the GDPR. The court decided that the appeal is admissible because the legitimacy of the plaintiffs associations under §§ 28 and 29 of the Austrian Consumer Protection Act (Konsumentenschutzgesetz - KSchG) is not ultimately clarified. The court refers to a parallel case of the plaintiff currently pending at the CJEU as part of an preliminary ruling procedure.<br />
<br />
In this regard, the CJEU has to decide on whether the GDPR precludes national rules from granting associations the power to take legal action against unfair business practices or violations of consumer protection laws without a mandate and irrespective of the violation of specific rights of individual data subjects (see [[OGH - 6Ob77/20x|here]]). Until this decision is delivered by the CJEU the present procedure is put on hold.<br />
== Comment ==<br />
For further information on the corresponding preliminary reference see [[OGH - 6Ob77/20x|here]].<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
<br />
court<br />
Supreme Court<br />
<br />
<br />
Decision date<br />
08/06/2021<br />
<br />
<br />
Business number<br />
6Ob48 / 21h<br />
<br />
<br />
head<br />
The Supreme Court, as a court of appeal by the Senate President Hon.-Prof. Dr. Gitschthaler as chairman, the court councilors Univ.-Prof. Dr. Kodek and Dr. Nowotny, the court councilor Dr. Faber and Hofrat Mag. Pertmayr as further judges in the case of the plaintiff, Verein für Konsumenteninformation, 1060 Vienna, Linke Wienzeile 18, represented by Kosesnik-Wehrle & Langer Rechtsanwälte KG in Vienna, against the defendant U ***** GmbH , *****, represented by Pressl Endl Heinrich Bamberger Rechtsanwälte GmbH in Salzburg, for omission and publication of the judgment, on the appeals by both parties against the judgment of the Linz Higher Regional Court as the court of appeal of November 26, 2020, GZ 3 R 128 / 20v-15 , with which the judgment of the Salzburg Regional Court of August 14, 2020, GZ 4 Cg 67 / 19w-9, was partially amended, rightly recognized in a closed session and decided:<br />
<br />
<br />
Saying<br />
<br />
The appeal of the defendant, insofar as it is against the cease-and-desist clause 1.1. of the appeal judgment (Clause 1), not given.<br />
Insofar as it is directed against the omission requirement item 2 of the appeal judgment (business practice 1), the appeal of the defendant will be followed and the dismissing decision of the first court (there item 3.1. Of the judgment) will be restored.<br />
With regard to point 4 of the judgment of the appellate court, the proceedings will be interrupted until the decision of the European Court of Justice on the request for a preliminary ruling made by the Supreme Court on November 25, 2020 re 6 Ob 77 / 20x. Once the preliminary ruling has been received, the proceedings will be continued ex officio.<br />
The decision on the request of the plaintiff to authorize it to publish the plaintiff's verdict, as well as the request of the defendant to authorize it to publish the dismissing verdict, are reserved for the final decision.<br />
The decision on the costs of the appeal proceedings is reserved for the final decision.<br />
<br />
<br />
text<br />
Reasons for the decision:<br />
[1] The plaintiff is an association entitled to sue within the meaning of § 29 KSchG.<br />
[2] The defendant is a mail order company operating throughout Austria, which continuously concludes contracts with consumers. It bases its contracts on general terms and conditions, which include the following clauses:<br />
"9. Payment:<br />
What payment options do you have for your order?<br />
9.1. Purchase on invoice:<br />
In the case of purchase on account (payment by bank transfer), the invoice amount is due within 14 days of receipt of the goods.<br />
9.2. Partial payment:<br />
With us, you have the option of making partial payments if you have the appropriate creditworthiness and an order value of up to EUR 4,000.00. You can find more information, in particular about the amount and number of installments, at www.u *****. At / part-payment.<br />
In the case of an advance payment, the amount of the agreed installments is reduced and the total burden is lower. The balance remaining after the advance payment can be paid in partial amounts. For the 1st month after purchase, no installment costs are charged. From the 2nd month onwards, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account settlement, this results in an effective interest rate of 21.7% p.a. By sending you an account statement by post or email, we will inform you about your current account balance on a monthly basis. You are deemed to have approved the account balance if you do not object to it within two months of receipt.<br />
9.3. Credit card:<br />
You can pay with us online by credit card. Simply select credit card under payment method. We accept Mastercard, Visa, Diners Club and Discover (no prepaid credit cards). In addition to the credit card company, the card number and the period of validity, we need the check digit of your credit card. The check digit is a three-digit number on the back of your credit card that ensures payment security on the Internet.<br />
9.4. Advance payment:<br />
We reserve the right to make the delivery of the goods dependent on an advance payment.<br />
9.5. PayPal:<br />
[...] "<br />
[3] Via the link “www.u *****. At / part-payment” you get to an installment calculator. There, the customer can enter the term of the installment payments within a specified range. The maximum term is 48 months, the minimum monthly rate is EUR 10. When you enter the item price and the desired term, the system calculates the installment surcharge, the monthly minimum installment, the amount of the last installment, the final installment price and indicates the effective annual interest rate.<br />
[4] The information on the credit check can be found in the data protection information of the defendant (www.u *****. At / datenschutz), which has the following content in excerpts:<br />
"3.2.2.2. Credit checks:<br />
If you have selected a so-called insecure payment method (purchase on account or installment purchase) when placing an order, the following applies:<br />
U ***** and other mail order companies of the O ***** - Group basically give their customers the opportunity to purchase goods using unsafe payment methods (e.g. purchase on account, purchase on finance).<br />
[...]<br />
Companies that generally allow their customers to use unsafe payment methods have a legitimate interest in protecting themselves as well as possible from the occurrence of payment defaults. This is done, among other things, by checking the creditworthiness of the customer before granting the option of using insecure payment methods. As part of this check, we are entitled to ask U ***** GmbH whether they have received negative credit information about the respective customers from the other mail-order companies of the O ***** Group. Furthermore, we are entitled to transmit negative creditworthiness information on the respective customers to U ***** GmbH, which in turn can provide information to the above-mentioned other mail-order companies of the O ***** Group before these other mail-order companies give the customer the option of using unsafe payment methods.<br />
The creditworthiness information is information about outstanding payment claims and information from which there is a direct risk of payment default (e.g. insolvency, debt counseling, deferral due to insolvency). Before we transmit negative information about outstanding payment claims to U ***** GmbH, the customers concerned are informed of the possibility of transmission on a reminder. We are also entitled to transmit information about extremely atypical order processes (e.g. simultaneous ordering of a large number of goods to the same address using different customer accounts) to U ***** GmbH and to request such information from U ***** GmbH. This is to avoid payment defaults and to protect our customers from misuse of their accounts or their identity.<br />
In cases in which a customer wants to order with an insecure method of payment, we are entitled to use information received as part of the order to calculate a probability of default (internal scoring). The calculation of the failure probability by means of the internal scoring is based on a recognized mathematical statistical procedure. The data used as part of the internal scoring result in particular from a combination of the following data categories (not exhaustive): address data, age, desired payment conditions, order method and product range groups. As part of the internal scoring, only data that the customer has given us is used. On the basis of the named data categories, conclusions can be drawn about the probability of default on payment due to the mathematical statistical procedure used. For example, a certain place of residence of the person placing the order, combined with a certain category of goods, can lead to an increased probability of default and thus a restriction on the payment method. There is no payment type restriction based solely on the place of residence of the person placing the order. In addition, it has been statistically proven, for example, that there is a lower risk of payment default when using a chargeable e-mail provider than is the case when using a free provider. As part of the examination of whether an unsafe method of payment (installment / purchase on account) can be granted, we are also entitled to obtain credit information about you from an external credit agency. We work with the following credit agency C ***** GmbH, *****.<br />
For the purpose of calling up creditworthiness information, the following data is transmitted to the external credit agency: first name, last name, postal address, date of birth and, in the event of default in payment, the outstanding balance. The data mentioned can also be transmitted to C ***** GmbH, ***** for the purpose of personal and address validation and for fraud prevention (see also the following point).<br />
As part of the credit check, we can use an automated process to decide whether you will be given the desired unsecure payment method (installment / purchase on account). For example, when a negative credit report is sent by a credit agency or when an insufficient score is calculated as part of the internal scoring, the desired payment method can be automatically rejected. You can assert the right to us to manually review the automated decision. In addition, you have the right to express your own point of view and the right to contest the decision.<br />
The processing of your data as part of the credit check is based on Article 6 Paragraph 1b GDPR and Article 6 Paragraph 1f GDPR. We basically have a legitimate interest in carrying out a credit check when you select an unsafe payment method (installment / purchase on account). "<br />
[5] Under the heading “Data protection notice” and the text “Information on payment method restrictions: You would like to know why you cannot use all payment methods with us? We will be happy to provide you with information here. ", The customer arrives at a link with the title" Request information ".<br />
[6] Over 90% of the orders placed with the defendant are made online, the remaining 10% by telephone. The average order value is EUR 650.<br />
[7] In the case of an online order, the payment method "purchase on account" is preset. If a customer wants partial payment, he has to change the payment option himself.<br />
[8] In the case of an initial order, the defendant limits the order value to EUR 500 in the case of an installment purchase or purchase on account; this limit is gradually increased for subsequent orders if there have been no defaults in payment.<br />
[9] In the case of a new customer who orders on open account or partial payment, an inquiry is automatically made to the credit agency with the data provided by the customer. If the customer is unknown there, the defendant rejects a business relationship with partial payment or on account and notifies the customer that he would be supplied via credit card or PayPal. If the customer is known, there are three ways of scoring with three different colors. If the color is red, the unsecure payment method is also rejected, if it is yellow, an employee of the defendant checks, and if it is green, the order is accepted. In the case of a yellow scoring, the employee himself inspects the database and decides whether and, if so, under what conditions the order will be released.<br />
[10] If a customer makes use of the option of requesting information, further information is obtained, for example the request for proof of income.<br />
[11] The plaintiff association desires - insofar as it is still the subject of the appeal proceedings - to oblige the defendant to refrain from using the following clauses in general terms and conditions or contract forms in business dealings with consumers:<br />
(Clause 1 = point 1.1. Of the judgment of the court of appeal): "From the second month onwards, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account offsetting, this results in an effective interest rate of 21.7% p.a. "<br />
[12] Furthermore, he seeks to oblige the defendant in accordance with § 28a KSchG to refrain from doing business with consumers in connection with consumer credit relationships,<br />
(Business practice 1 = point 2. of the judgment of the court of appeal): "To agree on partial payment purchases and / or partial payment options with a total credit of at least EUR 200 to pay consumers for goods purchased without checking the creditworthiness of the consumer on the basis of sufficient information, in particular without To obtain information on the income situation and / or financial situation of these consumers; ”as well as<br />
(Business practice 2 = point 4 of the judgment of the appellate court): "to carry out the credit check when lending on the basis of a scoring, without granting the consumer the right to express his own point of view and to contest his classification."<br />
[13] Furthermore, the plaintiff association applied for authorization to publish the judgment.<br />
[14] The defendant requested that the action be dismissed as well as authorization to publish the judgment dismissing the complaint, and, in the event that the action was upheld, the setting of a performance period of at least six months.<br />
[15] The first court granted the cease and desist and publication requests with regard to clauses 1 and 2 without setting a performance deadline and dismissed the further claim and the counter-publication request of the defendant.<br />
[16] The appeals court partially followed the appeals of both parties. It confirmed the admission of the action with regard to clauses 1 and 2, whereby it set a six-month performance period, and changed the judgment of the first court with regard to business practice 1 in the plaintiff's sense, also with a six-month performance period.<br />
[17] It allowed the appeal because it was partly about clauses or business practices that had not yet been assessed by the Supreme Court and that were important for a larger number of consumers.<br />
[18] In their opposing revisions, the parties in dispute request the amendment of the decision of the appellate court in the sense of a complete lodging of the complaint or a dismissal of the complaint, whereby the defendant does not contest the approval of the complaint with regard to the omission of clause 2 (point 1.2. Of the appeal judgment). In the alternative, the defendant files an application for annulment.<br />
[19] The plaintiff requests that the defendant's appeal be dismissed or, in the alternative, that it should not be followed. The defendant requests that the plaintiff's appeal be disregarded.<br />
[20] The revisions of both parties are permissible. The defendant's revision is partly justified.<br />
[21] The submissions of the parties as well as the reasons for the decision of the lower courts are presented when dealing with the disputed clause and the disputed business practices.<br />
<br />
<br />
Legal assessment<br />
[22] A. On the defendant's appeal:<br />
[23] The defendant's revision is permissible because the requirements for the credit check in accordance with Section 7 (1) VKrG require clarification. It is partially justified.<br />
[24] Regarding clause 1: "From the second month, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account offsetting, this results in an effective interest rate of 21.7% p.a. "<br />
[25] The plaintiff complains that the clause is not transparent because it is not pointed out that the defendant derives the right to charge compound interest during the year from the monthly capitalization. The clause is also grossly disadvantageous within the meaning of Section 879 Paragraph 3 ABGB, because the accounting period is shortened to one month in deviation from Section 355 Paragraph 2 UGB. The amount of the effective interest rate is grossly disadvantageous and violates § 934 ABGB. In addition, it is not evident that the effective interest rate results from the compound interest effect.<br />
[26] The defendant denies the claims. There was no lack of transparency because the effective annual interest rate was stated and it was clearly recognizable that the difference to the annual interest rate could only result from the compound interest effect (and not from the inclusion of processing fees or the like).<br />
[27] The lower courts forbade the clause because it violated the transparency requirement of Section 6 (3) KSchG. The creditor of a monetary claim can only demand compound interest according to Section 1000 (2) sentence 1 ABGB if the parties have expressly agreed to this. According to the case law, the agreement of the capitalization of interest during the year is not transparent if the user of the terms and conditions does not point out the resulting compound interest effect. The lack of transparency is also not eliminated by listing the monthly interest rate, the annual interest rate and the effective annual interest rate or by using the rate calculator, because the annual interest rate can also result from other cost factors such as commissions, costs of contract establishment, processing fees, etc., so that the average consumer can choose the difference between the annual interest rate and the effective annual interest rate does not have to infer the agreement of compound interest.<br />
[28] The revision is not justified.<br />
[29] 1.1. According to Section 1000 (2) sentence 1 ABGB, compound interest is due - as the appellate court has already correctly pointed out - only in the case of an "express" agreement between the parties. It is necessary that the compound interest is conditional, for which sufficiently clear conclusive explanations are sufficient (Perner in Schwimann / Kodek, ABGB4 § 1000 Rz 17 and Fn 50; Ertl in Fenyves / Kerschner / Vonkilch, Klang³ § 1000 ABGB Rz 15; Dullinger in Artmann , UGB³ § 355 margin no. 3). The agreement of compound interest in the General Terms and Conditions of the defendant must also meet the requirements of Section 6 (3) KSchG.<br />
[30] 1.2. According to the established case law of the Supreme Court, the reference to an account closing during the year or the reference to the fact that interest is "calculated, capitalized and charged" during the year is not sufficient to make the consumer realize that compound interest should also be charged. Such clauses were therefore regularly judged to be non-transparent within the meaning of Section 6 (3) KSchG (1 Ob 124 / 18v [Clause 17]; 9 Ob 11 / 18k [Clause 6]; 8 Ob 128 / 17g [Clauses 7 and 8]; 10 Ob 31 / 16f [Clause c]; 4 Ob 179 / 02f [Clause Z 38 Paragraph 1]; see RS0117273).<br />
[31] 1.3. The present clause does not expressly provide for an account closing during the year, but rather the "current account settlement" of the partial payment costs, which are specified as 1.65% per month (19.8% p.a.) of the outstanding balance; The effective interest rate of 21.7% p.a. resulting from "current account settlement" is also given.<br />
[32] 2.1. The current account agreement is regulated in Section 355 of the UGB. Section 355 (1) of the Austrian Commercial Code defines the current account agreement as an agreement with an entrepreneur with whom someone has a business relationship, that the mutual claims and services arising from the connection, plus interest, are invoiced and at regular intervals by offsetting and determining the amount for one or the other the other part of the resulting surplus will be compensated. According to Section 355, Paragraph 4, Clause 4 of the Austrian Commercial Code, anyone who is entitled to a surplus when closing the accounts can demand compound interest.<br />
[33] 2.2. If one or more features of the current account defined by law in Section 355 (1) UGB are missing, such as the entrepreneurial status of a part or the permanent business relationship, one speaks of an improper current account agreement to which the current account law can apply analogously (1 Ob 83 / 01i). For example, the analogous application of § 355 UGB was affirmed for the case of an agreement between non-entrepreneurs (1 Ob 83 / 01i; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 4).<br />
[34] 2.3. On the basis of the regulation of § 1000 Paragraph 2 Sentence 1 ABGB, it is assumed when an improper current account relationship is agreed that compound interest is only due if expressly agreed (within the meaning of § 1000 Paragraph 2 Sentence 1 ABGB) (cf. 1 Ob 83 / 01i; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 4; aM Dullinger in Artmann, UGB³ § 355 Rz 3).<br />
[35] 2.4. The current account must be based on a business relationship established for a certain period of time, which means that the repeated conclusion of transactions can be expected (Dullinger in Artmann, UGB³ § 355 Rz 4; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 5) . Whether a single purchase in installments can already meet this requirement (critical for assessing an installment credit as a current account relationship Dullinger in Artmann, UGB³ § 355 Rz 4) or whether the (qualified) business relationship required by § 355 (1) UGB is missing when concluding a single purchase in installments, so that there is at most an "improper" current account relationship does not have to be conclusively assessed in the present case:<br />
[36] 3.1. Because even under the assumption that the agreement of a "current account settlement" in the case of a hire purchase would already be directly subject to § 355 UGB, this would not change the fact that the clause to be assessed here is not clear and understandable for the consumer regarding the accrual of compound interest within the meaning of § 6 Paragraph 3 of the KSchG. For the economically inexperienced average customer of a mail order company, neither the use of the term "current account" nor the indication of the different interest rates results in the fact that a periodic determination of the outstanding invoice amount including capitalization of the "partial payment costs" and their (renewed) Interest takes place. This does not result from the difference between the annual interest rate and the effective annual interest rate disclosed in the clause. The appellate court has already correctly stated that such a difference can also have reasons other than the offsetting of compound interest (Section 510 (3) ZPO). In addition, the duration of the billing period of one month can only be deduced from the specification of a monthly interest rate for the installment costs. The fact that with the regulation of the "current account settlement" in truth only the monthly settlement of compound interest is to be effected is therefore not generally recognizable for the average consumer. Insofar as the revision argues that the effective annual interest rate can only exceed the stated annual interest rate because of the compound interest effect, because no other costs would flow into it, this circumstance is not immediately apparent to the consumer from the disputed clause.<br />
[37] 3.2. If it is further argued in the revision that the financial burden is easily recognizable for the consumer through the indication of the effective annual interest rate and through the instrument of the rate calculator, nothing can be gained from this for the defendant. If the effective agreement of compound interest is missing - due to a violation of the transparency requirement of § 6 Abs 3 KSchG - the defendant is not entitled to the specified effective interest rate and the total amount determined by the installment calculator.<br />
[38] The defendant's appeal against the prohibition of Clause 1 is therefore not justified.<br />
<br />
[39] Regarding business practice 1: The defendant's business practice of agreeing partial payment purchases and / or partial payment options with a total credit of at least EUR 200 to pay for the goods purchased by consumers from her is objected to, without the creditworthiness of the consumer based on sufficient To check information, in particular without obtaining information on the income situation and / or financial situation of these consumers.<br />
[40] The plaintiff sees a systematic violation of the obligation to carry out a credit check according to § 7 VKrG in the fact that the defendant does not collect any information about the consumer's income and other liabilities in the case of installment transactions. In response to the plaintiff's letter of warning, the defendant justified its high interest rate with the fact that no collateral had to be provided for the loans it had granted and no evidence of employment or regular cash inflow had to be provided. The database query and the analysis of previous purchasing behavior did not allow any conclusions to be drawn about income and no prognostic decision as to whether the consumer would be able to meet his payment obligations in full. The database query can be used to obtain information about the consumer's income and assets, but it cannot replace it.<br />
[41] The defendant counters this by saying that obtaining information from a database, specifically by making an inquiry to the specified credit bureau, fulfills the requirements of Section 7 of the VKrG. In any case, the entrepreneur does not have to approach the consumer. The scope of the investigation obligations depends on the individual case and is lower in the case of small goods loans than in the case of typical bank loans. The defendant allows partial payments for purchase prices between EUR 50 and EUR 4,000 with a term of no more than four years; the majority of the consumer loans granted are around the average amount of EUR 650.<br />
[42] The first court dismissed the request for an injunction aimed at the omission of business practice 1.<br />
[43] The appeals court granted the injunction. Legally, it discussed that the lender had to carry out the credit check on the basis of sufficient information. In order to assess the creditworthiness, the current income and liquid funds of the consumer should first be used and compared with the costs of the loan and the current repayment; a database query should only be carried out if this was additionally necessary.<br />
[44] In its appeal, the defendant asserts that there is no provision for prioritizing the procurement of information and that the credit check can be designed flexibly. Consumers' income and financial situation always show certain fluctuations and uncertainties, which have an impact especially in the case of low monthly payments, so that the information to be obtained from the consumer must be higher, the lower the loan amount. In such cases, however, obtaining detailed information is unusual and does not provide a more reliable statement about creditworthiness than the credit information obtained and the observation of ongoing consumer behavior. Obtaining information is therefore sufficient for small goods loans.<br />
[45] The appeal is justified.<br />
[46] 1.1. Anyone who violates a legal requirement or prohibition in business dealings with consumers in connection with consumer credit relationships and thereby affects the general interests of consumers can be sued for an injunction without prejudice to Section 28 (1) KSchG (Section 28a (1) KSchG).<br />
[47] 1.2. Section 28a KSchG extends the scope of representative actions to include illegal business practices by entrepreneurs in business dealings with consumers, limited to the contractual relationships and non-contractual legal relationships specified in Section 28a (1) KSchG (10 Ob 13 / 17k; 7 Ob 168 / 17g; Kathrein / Schoditsch in KBB6 § 28a KSchG margin no.1). The behavior complained of must also be of importance for a large number of contracts or non-contractual legal relationships, which is especially the case for illegal behavior in mass business (RS0121961). This is to effectively prevent any behavior found to be inadmissible under the law that has developed into a practice of the respective entrepreneur (6 Ob 228 / 16x).<br />
[48] 1.3. The right to cease and desist - including that according to § 28a KSchG (cf. 10 Ob 13 / 17k; 4 Ob 179 / 18d [Business Practice 2], etc.) - is substantiated by two elements: an obligation to cease and desist and the risk that this obligation to cease and desist is violated. If one of these elements is missing, there is no right to cease and desist (RS0037660).<br />
[49] 2.1. The subject of the claim for action and the verdict is always only the specific infringing act (RS0037478 [T2, T5]). However, it is permissible to describe the inadmissible behavior in a generalized way and to clarify it by means of "especially" listed individual bans. Even with such a more general version of the injunction, the verdict must cover the core of the infringing act (4 Ob 206 / 19a; 9 Ob 57 / 20b).<br />
[50] The claim is to be understood as it is meant by the plaintiff in conjunction with the claimant's account (RS0037440).<br />
[51] 2.2. The core of the business practice 1 complained of by the plaintiff consists in giving consumers the option of partial payment without obtaining information on income “and / or” assets for the purpose of checking creditworthiness. After the request for a judgment and the submission of the action in its entirety, the plaintiff association seeks a ban that is not restricted to specific groups of cases or the existence of specific circumstances; Rather, he takes the position that the information mentioned must always be obtained for the partial payment transactions offered by the defendant.<br />
[52] The defendant did not claim that it obtained information on the income situation or the assets of its prospective buyers before granting a partial payment option. Only when a consumer requests information about the reasons why he cannot use all payment methods from the defendant (i.e. after rejecting an “unsafe” payment method requested by the consumer) does the defendant request proof of income, for example.<br />
[53] 2.3. It must therefore be examined whether the defendant, by systematically granting consumers the option to pay in installments without obtaining information about their income and / or assets, violates a legal prohibition, specifically § 7 VKrG. The decisive factor is whether the obligation can be derived from Section 7 VKrG to always provide information about the income and / or the assets of the defendant in the case of partial payment transactions, as offered by the defendant, from a credited purchase price of EUR 200 (see Section 4 (1) VKrG) To catch up with prospective buyers.<br />
[54] It should be made clear in this context that the injunction does not simply cover the execution of the credit check without obtaining information about the income and / or assets of the prospective buyers, but only the procedure of granting consumers partial payment options without having obtained such information. The practice of refusing to allow partial payment without obtaining information about the income and / or asset situation is therefore not objected to.<br />
[55] 3.1. According to § 7 VKrG applicable to hire purchase contracts in accordance with § 25 Paragraph 1 VKrG (see Foglar-Deinhardstein in Fenyves / Kerschner / Vonkilch, Klang³ § 25 VKrG margin no. 69), the lender must check the creditworthiness of the consumer using sufficient information before concluding the credit agreement, which he - if necessary - demands from the consumer; if necessary, he must also obtain information from an available database (Section 7 (1) VKrG). If this check reveals considerable doubts about the ability of the consumer to fully fulfill his obligations under the credit agreement, the lender must inform the consumer of these concerns about his creditworthiness (Section 7 (2) VKrG).<br />
[56] With this, the obligation of the lender to assess the creditworthiness of the consumer in accordance with Article 8 Paragraph 1 of the Consumer Credit Directive (Directive 2008/48 / EC on consumer credit agreements) was implemented in Austrian law. According to Article 8 (1) of the Consumer Credit Directive, the member states ensure that, before concluding the credit agreement, the lender assesses the creditworthiness of the consumer on the basis of sufficient information that he may obtain from the consumer and, if necessary, on the basis of information from the database in question. Those Member States that legally oblige lenders to assess creditworthiness on the basis of a query in a corresponding database can retain this requirement.<br />
[57] 3.2. The obligation of the lender to assess the creditworthiness of the consumer in accordance with Article 8 Paragraph 1 of the Consumer Credit Directive is intended to protect consumers from irresponsible granting of credit that exceeds their financial capabilities and can lead to their insolvency (ECJ April 27, 2014, C- 565/12, LCL Le Crédit Lyonnais SA, ECLI: EU: C: 2014: 190, margin no. 42 f). In addition, the credit check prescribed by Union law is intended to serve the general interest in a functioning credit industry in the internal market (Recital 6, 7 Consumer Credit Directive; Pesek in Klang³ § 7 VKrG margin no. 1).<br />
[58] 3.3. According to Section 7 (1) VKrG and Article 8 (1) Consumer Credit Directive, the lender must determine the facts that are relevant for assessing creditworthiness (Pesek in Klang³, Section 7, margin no.27). As a means of information, in Section 7 (1) VKrG as well as in Art 8 Consumer Credit Directive, the gathering of information from the consumer and the gathering of information from an available database are mentioned.<br />
[59] The creditworthiness is not to be understood as the creditworthiness in the banking sense. Rather, it is about the assessment of whether the consumer will probably be able to meet his payment obligations from the loan agreement in full, without being pushed to the edge of his economic existence (ExplanationRV 650 BlgNR 24. GP 17; Pesek in Klang³ § 7 VKrG Rz 6 f; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law [2010] § 7 VKrG Rz 6 f; see Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 4 ff ).<br />
[60] 4.1. What content the information must have in order to be regarded as sufficient within the meaning of Section 7 (1) VKrG is not described in more detail by law.<br />
[61] 4.2. In the literature it is consistently stated that the regular (net) income of the consumer and his other liquid assets must be taken into account in the credit check (Pesek in Klang³ § 7 VKrG margin no.10; Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG margin no 9; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG margin no. 9; Dehn in Apathy / Iro / Koziol, Austrian bank contract law IV² [2012] margin no. 2/54). However, the inclusion of non-liquid assets in the creditworthiness check is disputed (for: Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 9; Pesek in Klang³ § 7 VKrG Rz 12; on the other hand: Wendehorst, What is creditworthiness? In Blaschek / Habersberger , Worthy of a loan? 29 f; Foglar-Deinhardstein, The credit check for consumer credit [2013] margin nos. 237 ff; Weissel, consumer credit: Inquiry obligations of the bank, RdW 2014, 176, 179; ders, The protection provided by § 7 VKrG under civil law: legal beneficence oder Irrweg, ZFR 2012, 208, 210; differentiating [between smaller consumer loans and loans for the creation of housing, which were also covered by § 7 VKrG up to the entry into force of the HIKrG on March 21, 2016] Zöchling-Jud in Wendehorst / Zöchling-Jud , Consumer credit law [2010] § 7 VKrG margin no. 10; Dehn in Apathy / Iro / Koziol, Austrian bank contract law IV² margin no. 2/55). The consumer's income and cash and cash equivalents as well as - depending on the legal opinion represented - other assets are to be compared with the regular burdens of the consumer (Pesek in Klang³ § 7 VKrG Rz 17; Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 10, 12; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG margin no.12).<br />
[62] 4.3. It is agreed that the extent of the lender's duty to investigate depends on the circumstances of the individual case, with regard to the amount of the loan value disbursed, the duration of the loan, the informative value and credibility of the information provided by the consumer as well as the existence or duration and intensity the business relationship between the lender and the consumer is important (Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 14; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG Rz 14; 8 Ob 76 / 16h).<br />
[63] 4.4. In this sense, Leupold / Ramharter argue for small (commodity) loans that the lender's exploration obligations are limited; In this context, they refer to information from databases and reject any further credit check that is incompatible with the goal of efficient markets (Leupold / Ramharter, The violation of the duty to warn of poor creditworthiness under the Consumer Credit Act, ÖBA 2011, 469, 486).<br />
[64] 4.5. The content of the "sufficient" information according to Section 7 (1) VKrG must also be specified depending on the circumstances of the individual case. Only in this way, with the help of the statutory general clause, can the legal obligations for the wide range of consumer loans covered by Section 7 (1) VKrG - which includes financial aid within the meaning of Section 25 (1) VKrG, up to large bank loans - be made possible.<br />
[65] 4.6. This interpretation is in line with the case law of the ECJ on Article 8 (1) of the Consumer Credit Directive.<br />
[66] In the case of CA Consumer Finance SA, the ECJ made it clear that the directive does not conclusively specify the information on the basis of which the lender has to assess the creditworthiness of the consumer, nor does it specify in more detail whether and how this information is to be checked . Rather, the lender has a margin of discretion when it comes to whether the information he has is sufficient to certify the creditworthiness of the loan applicant and whether he has to check this against other criteria. The lender must therefore assess in each case, taking into account the circumstances of the individual case, whether the information available to him by the loan applicant is relevant and sufficient. Whether the information is sufficient can vary depending on the circumstances of the conclusion of the credit agreement, the personal situation of the consumer or the credit volume provided for in the contract (ECJ December 18, 2014, C-449/13, CA Consumer Finance SA, ECLI: EU : C: 2014: 2464, margin no.36 f).<br />
[67] 4.7. The lender is therefore not required to obtain information on the income or financial situation of the consumer or on both aspects in addition to obtaining information from an external credit bureau in the case of small goods loans.<br />
[68] 5.1. According to the findings, the defendant obtains information from an external credit agency before granting partial payment options to new customers and limits the loan amount to EUR 500; for existing customers, it uses any negative credit information available in the group of companies. In addition, she uses the amount of the loan for her decision-making; In addition, there are other factors that are not related to the creditworthiness within the meaning of Section 7 (1) VKrG, such as the residential address.<br />
[69] 5.2. Particularly in the case of the small loans of goods from a loan amount of EUR 200 or more that are covered by the injunction, the consideration of existing negative creditworthiness information, as can be derived from the information available in the group of companies as well as from the information provided by the credit bureau, does not appear to be entirely unsuitable for credit checks. This is also not claimed by the plaintiff association. Especially in the case of very low loan amounts (from EUR 200) it is not evident that additional knowledge of the net income (at least, unless it is associated with a detailed survey of all, even minor financial burdens) necessarily enables a more reliable assessment than the query whether due to existing “negative creditworthiness information”, the collectability of even very small loan amounts must be called into question from the outset. The same considerations apply to the need to identify the consumer's realizable assets.<br />
[70] 5.3. Whether the business practice objected to by the plaintiff association, when granting partial payment options in addition to obtaining information from an external credit agency, not to obtain information about the income and / or asset situation of consumers, violates § 7 VKrG, cannot be answered in general, but depends on the circumstances of the case.<br />
[71] It cannot be ruled out that the partial payment options granted by the defendant exist in which it is necessary to obtain information about the income situation or the financial situation of the consumer or about both. However, the request for an injunction does not focus on more specific cases, but aims to forbid the defendant, in all cases, from agreeing on partial payment purchases or partial payment options with consumers with a total credit of at least EUR 200, without information on the income situation and / or their financial position to catch up.<br />
[72] However, this request is not justified because of the discretion granted to the lender in the credit check. The revision is therefore justified insofar as it is directed against the prohibition of the objected business practice 1. The judgment of the first court had to be restored to this extent.<br />
<br />
[73] B. On the plaintiff's appeal:<br />
[74] The appeal by the plaintiff is permissible because the active legitimation of the plaintiff association according to §§ 28a, 29 KSchG to assert violations of the GDPR has not been conclusively clarified.<br />
[75] Regarding the performance period (Clause 1):<br />
[76] The appellate court set the deadline for the omission of the use and the appeal to the clause 1 because of the necessary organizational measures for the EDP conversion with six months. Such a necessity is understandable in the present case, in which the inadmissible clause also affects the settlement of all ongoing partial payment contracts (see RS0041265 [T12]). The performance deadline set by the court of appeal is therefore not objectionable in the present individual case.<br />
[77] Regarding business practice 2:<br />
[78] The defendant's business practice of carrying out the credit check when lending is based on a scoring without giving the consumer the right to express his own point of view and contest his classification is objected to.<br />
[79] With this request for an injunction, the plaintiff did not object to the "internal scoring" practiced by the defendant, but to the decision based on the classification made by the external credit agency. The procedure violates Art 22 GDPR for reasons explained in detail.<br />
[80] The defendant objected that the plaintiff association was not granted any active legitimation regarding data protection information obligations. The alleged violation of Art 22 GDPR did not exist.<br />
[81] The first court dismissed the claim because the defendant's approach was in accordance with Section 7 VKrG and Article 22 GDPR.<br />
[82] The appellate court confirmed the dismissal of the action on the grounds that the plaintiff association lacks the active legitimation to assert data protection violations.<br />
[83] As a significant legal issue, the appeal claims that the appellate court disregarded the fact that the systematic violation of Art 22 GDPR occurred in connection with consumer credit relationships, so that the collective action according to § 28a KSchG was opened.<br />
[84] 1. In proceedings 6 Ob 77 / 20x, the Supreme Court submitted the following question to the European Court of Justice for a preliminary ruling (RS0133358):<br />
Are the regulations in Chapter VIII, in particular in Art. 80 Paragraphs 1 and 2 and Art. 84 Paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons during processing personal data, on the free movement of data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation, OJ L 119/1 of May 4, 2016, p. 1; hereinafter "GDPR") contrary to national regulations that - in addition to the powers of intervention of the supervisory authorities responsible for monitoring and enforcement of the regulation and the legal protection options of the data subjects - on the one hand, to grant competitors and, on the other hand, the authority to associations, institutions and chambers authorized under national law, regardless of the violation of specific rights of individual data subjects, because of violations of the GDPR and without the instruction of a person concerned against the infringer by way of an action before the civil courts under the Ges Prohibition of engaging in unfair business practices or violating consumer protection law or prohibiting the use of ineffective general terms and conditions?<br />
[85] 2.1. The plaintiff in the present proceedings is the same association authorized to take legal action under § 29 KSchG who intervenes on 6 Ob 77 / 20x - there based on § 28 KSchG. In the present proceedings, based on § 28a KSchG, he seeks the omission of a business practice used by the defendant in connection with consumer credit relationships, which violates the GDPR.<br />
[86] 2.2. The question of whether the plaintiff is legitimized to assert violations of the GDPR by way of a representative action according to § 29 KSchG is also relevant for the decision of the present legal dispute, because the question of whether the Union legislature with the legal protection instruments provided for in the GDPR is possibly a wanted to create a final regulation for the enforcement of data protection violations, also for lawsuits against business practices that are in connection with the legal relationships mentioned in § 28a KSchG, is essential for the decision.<br />
[87] For example, the Supreme Court referred its request for a preliminary ruling on 6 Ob 77 / 20x also to the representative action "from the point of view of a violation of a consumer protection law" - i.e. in accordance with § 28a KSchG - (cf. . 2020, I ZR 186/17 [Rz 47, 57 ff]).<br />
[88] 3. The Supreme Court of Justice has to assume a general effect of the preliminary ruling of the European Court of Justice and to apply this also for other than the immediate case. For reasons of process economy, the present procedure must therefore be interrupted (RS0110583).<br />
<br />
[89] C. Regarding the publication requests:<br />
[90] Because of the interruption of the proceedings with regard to the request for an injunction regarding business practice 2 (violation of the GDPR), the requests for publication made by both parties cannot be conclusively decided. A partial judgment is not appropriate here because further publication after the final judgment is available would entail additional costs that would not be incurred in the case of joint publication (Ciresa, Handbuch der Judgment Publication4 [2017] margin no. 4.28; RS0079937 [T1]).<br />
<br />
[91] D. Decision on costs:<br />
[92] The reservation of costs is based on Section 52 (4) ZPO.<br />
<br />
<br />
European Case Law Identifier<br />
ECLI: AT: OGH0002: 2021: 0060OB00048.21H.0806.000<br />
<br />
<br />
</pre></div>JShttps://gdprhub.eu/index.php?title=OGH_-_6Ob48/21h&diff=20309OGH - 6Ob48/21h2021-10-01T11:55:10Z<p>JS: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=OGH<br />
|Court_With_Country=OGH (Austria)<br />
<br />
|Case_Number_Name=6Ob48/21h<br />
|ECLI=ECLI:AT:OGH0002:2021:0060OB00048.21H.0806.000<br />
<br />
|Original_Source_Name_1=RIS<br />
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=4530863f-3472-44c4-9677-4f6b4edaecdb&Position=1&Abfrage=Justiz&Gericht=&Rechtssatznummer=&Rechtssatz=&Fundstelle=&AenderungenSeit=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=DSGVO&Dokumentnummer=JJT_20210806_OGH0002_0060OB00048_21H0000_000<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=06.08.2021<br />
|Date_Published=22.09.2021<br />
|Year=2021<br />
<br />
|GDPR_Article_1=Article 80 GDPR<br />
|GDPR_Article_Link_1=Article 80 GDPR<br />
<br />
<br />
|National_Law_Name_1=§ 28a KSchG<br />
|National_Law_Link_1=https://www.jusline.at/gesetz/kschg/paragraf/28a<br />
|National_Law_Name_2=§ 29 KSchG<br />
|National_Law_Link_2=https://www.jusline.at/gesetz/kschg/paragraf/29<br />
<br />
|Party_Name_1=Verein für Konsumenten Information (VKI)<br />
|Party_Link_1=https://verbraucherrecht.at/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Pending appeal<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=janniks<br />
|Initial_Contributor_Link=https://gdprhub.eu/index.php?title=User:JS<br />
}}<br />
<br />
The Austrian Supreme Court decided to put a case on hold until the CJEU determined whether the GDPR precludes national legislation that grants consumer organisations the legitimacy to take legal action without a mandate and a violation of the rights of a particular individual.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The plaintiff (the Austrian association Verein für Konsumenten Information) sued the defendant (an online shopping platform operating throughout Austria) over several business practices, terms and conditions they found in violation with consumer protection law and the GDPR. More precisely, the association criticized several non-transparent contractual clauses on interests and creditworthiness checks as well as the defendant making decisions based on classifications by external credit scoring agencies in violation of [[Article 22 GDPR|Article 22 GDPR]].<br />
<br />
The defendant argued that the association had no right to take legal action under applicable data protection law. In this regard, the appealing court already decided that the association lacks the legitimacy to assert data protection violations.<br />
<br />
=== Holding ===<br />
The OGH decided that the previous court failed to take into account that the systematic infringement of [[Article 22 GDPR|Article 22 GDPR]] in connection with consumer credit ratings could in fact allow the association to take legal action under the GDPR. The court decided that the appeal is admissible because the legitimacy of the plaintiffs associations under §§ 28 and 29 of the Austrian Consumer Protection Act (Konsumentenschutzgesetz - KSchG) is not ultimately clarified. The court refers to a parallel case of the plaintiff currently pending at the CJEU as part of an preliminary ruling procedure.<br />
<br />
In this regard, the CJEU has to decide on whether the GDPR precludes national rules from granting associations the power to take legal action against unfair business practices or violations of consumer protection laws without a mandate and irrespective of the violation of specific rights of individual data subjects (see [[OGH - 6Ob77/20x|here]]). Until this decision is delivered by the CJEU the present procedure is put on hold.<br />
== Comment ==<br />
For further information on the corresponding preliminary reference see [[OGH - 6Ob77/20x|here]].<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
<br />
court<br />
Supreme Court<br />
<br />
<br />
Decision date<br />
08/06/2021<br />
<br />
<br />
Business number<br />
6Ob48 / 21h<br />
<br />
<br />
head<br />
The Supreme Court, as a court of appeal by the Senate President Hon.-Prof. Dr. Gitschthaler as chairman, the court councilors Univ.-Prof. Dr. Kodek and Dr. Nowotny, the court councilor Dr. Faber and Hofrat Mag. Pertmayr as further judges in the case of the plaintiff, Verein für Konsumenteninformation, 1060 Vienna, Linke Wienzeile 18, represented by Kosesnik-Wehrle & Langer Rechtsanwälte KG in Vienna, against the defendant U ***** GmbH , *****, represented by Pressl Endl Heinrich Bamberger Rechtsanwälte GmbH in Salzburg, for omission and publication of the judgment, on the appeals by both parties against the judgment of the Linz Higher Regional Court as the court of appeal of November 26, 2020, GZ 3 R 128 / 20v-15 , with which the judgment of the Salzburg Regional Court of August 14, 2020, GZ 4 Cg 67 / 19w-9, was partially amended, rightly recognized in a closed session and decided:<br />
<br />
<br />
Saying<br />
<br />
The appeal of the defendant, insofar as it is against the cease-and-desist clause 1.1. of the appeal judgment (Clause 1), not given.<br />
Insofar as it is directed against the omission requirement item 2 of the appeal judgment (business practice 1), the appeal of the defendant will be followed and the dismissing decision of the first court (there item 3.1. Of the judgment) will be restored.<br />
With regard to point 4 of the judgment of the appellate court, the proceedings will be interrupted until the decision of the European Court of Justice on the request for a preliminary ruling made by the Supreme Court on November 25, 2020 re 6 Ob 77 / 20x. Once the preliminary ruling has been received, the proceedings will be continued ex officio.<br />
The decision on the request of the plaintiff to authorize it to publish the plaintiff's verdict, as well as the request of the defendant to authorize it to publish the dismissing verdict, are reserved for the final decision.<br />
The decision on the costs of the appeal proceedings is reserved for the final decision.<br />
<br />
<br />
text<br />
Reasons for the decision:<br />
[1] The plaintiff is an association entitled to sue within the meaning of § 29 KSchG.<br />
[2] The defendant is a mail order company operating throughout Austria, which continuously concludes contracts with consumers. It bases its contracts on general terms and conditions, which include the following clauses:<br />
"9. Payment:<br />
What payment options do you have for your order?<br />
9.1. Purchase on invoice:<br />
In the case of purchase on account (payment by bank transfer), the invoice amount is due within 14 days of receipt of the goods.<br />
9.2. Partial payment:<br />
With us, you have the option of making partial payments if you have the appropriate creditworthiness and an order value of up to EUR 4,000.00. You can find more information, in particular about the amount and number of installments, at www.u *****. At / part-payment.<br />
In the case of an advance payment, the amount of the agreed installments is reduced and the total burden is lower. The balance remaining after the advance payment can be paid in partial amounts. For the 1st month after purchase, no installment costs are charged. From the 2nd month onwards, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account settlement, this results in an effective interest rate of 21.7% p.a. By sending you an account statement by post or email, we will inform you about your current account balance on a monthly basis. You are deemed to have approved the account balance if you do not object to it within two months of receipt.<br />
9.3. Credit card:<br />
You can pay with us online by credit card. Simply select credit card under payment method. We accept Mastercard, Visa, Diners Club and Discover (no prepaid credit cards). In addition to the credit card company, the card number and the period of validity, we need the check digit of your credit card. The check digit is a three-digit number on the back of your credit card that ensures payment security on the Internet.<br />
9.4. Advance payment:<br />
We reserve the right to make the delivery of the goods dependent on an advance payment.<br />
9.5. PayPal:<br />
[...] "<br />
[3] Via the link “www.u *****. At / part-payment” you get to an installment calculator. There, the customer can enter the term of the installment payments within a specified range. The maximum term is 48 months, the minimum monthly rate is EUR 10. When you enter the item price and the desired term, the system calculates the installment surcharge, the monthly minimum installment, the amount of the last installment, the final installment price and indicates the effective annual interest rate.<br />
[4] The information on the credit check can be found in the data protection information of the defendant (www.u *****. At / datenschutz), which has the following content in excerpts:<br />
"3.2.2.2. Credit checks:<br />
If you have selected a so-called insecure payment method (purchase on account or installment purchase) when placing an order, the following applies:<br />
U ***** and other mail order companies of the O ***** - Group basically give their customers the opportunity to purchase goods using unsafe payment methods (e.g. purchase on account, purchase on finance).<br />
[...]<br />
Companies that generally allow their customers to use unsafe payment methods have a legitimate interest in protecting themselves as well as possible from the occurrence of payment defaults. This is done, among other things, by checking the creditworthiness of the customer before granting the option of using insecure payment methods. As part of this check, we are entitled to ask U ***** GmbH whether they have received negative credit information about the respective customers from the other mail-order companies of the O ***** Group. Furthermore, we are entitled to transmit negative creditworthiness information on the respective customers to U ***** GmbH, which in turn can provide information to the above-mentioned other mail-order companies of the O ***** Group before these other mail-order companies give the customer the option of using unsafe payment methods.<br />
The creditworthiness information is information about outstanding payment claims and information from which there is a direct risk of payment default (e.g. insolvency, debt counseling, deferral due to insolvency). Before we transmit negative information about outstanding payment claims to U ***** GmbH, the customers concerned are informed of the possibility of transmission on a reminder. We are also entitled to transmit information about extremely atypical order processes (e.g. simultaneous ordering of a large number of goods to the same address using different customer accounts) to U ***** GmbH and to request such information from U ***** GmbH. This is to avoid payment defaults and to protect our customers from misuse of their accounts or their identity.<br />
In cases in which a customer wants to order with an insecure method of payment, we are entitled to use information received as part of the order to calculate a probability of default (internal scoring). The calculation of the failure probability by means of the internal scoring is based on a recognized mathematical statistical procedure. The data used as part of the internal scoring result in particular from a combination of the following data categories (not exhaustive): address data, age, desired payment conditions, order method and product range groups. As part of the internal scoring, only data that the customer has given us is used. On the basis of the named data categories, conclusions can be drawn about the probability of default on payment due to the mathematical statistical procedure used. For example, a certain place of residence of the person placing the order, combined with a certain category of goods, can lead to an increased probability of default and thus a restriction on the payment method. There is no payment type restriction based solely on the place of residence of the person placing the order. In addition, it has been statistically proven, for example, that there is a lower risk of payment default when using a chargeable e-mail provider than is the case when using a free provider. As part of the examination of whether an unsafe method of payment (installment / purchase on account) can be granted, we are also entitled to obtain credit information about you from an external credit agency. We work with the following credit agency C ***** GmbH, *****.<br />
For the purpose of calling up creditworthiness information, the following data is transmitted to the external credit agency: first name, last name, postal address, date of birth and, in the event of default in payment, the outstanding balance. The data mentioned can also be transmitted to C ***** GmbH, ***** for the purpose of personal and address validation and for fraud prevention (see also the following point).<br />
As part of the credit check, we can use an automated process to decide whether you will be given the desired unsecure payment method (installment / purchase on account). For example, when a negative credit report is sent by a credit agency or when an insufficient score is calculated as part of the internal scoring, the desired payment method can be automatically rejected. You can assert the right to us to manually review the automated decision. In addition, you have the right to express your own point of view and the right to contest the decision.<br />
The processing of your data as part of the credit check is based on Article 6 Paragraph 1b GDPR and Article 6 Paragraph 1f GDPR. We basically have a legitimate interest in carrying out a credit check when you select an unsafe payment method (installment / purchase on account). "<br />
[5] Under the heading “Data protection notice” and the text “Information on payment method restrictions: You would like to know why you cannot use all payment methods with us? We will be happy to provide you with information here. ", The customer arrives at a link with the title" Request information ".<br />
[6] Over 90% of the orders placed with the defendant are made online, the remaining 10% by telephone. The average order value is EUR 650.<br />
[7] In the case of an online order, the payment method "purchase on account" is preset. If a customer wants partial payment, he has to change the payment option himself.<br />
[8] In the case of an initial order, the defendant limits the order value to EUR 500 in the case of an installment purchase or purchase on account; this limit is gradually increased for subsequent orders if there have been no defaults in payment.<br />
[9] In the case of a new customer who orders on open account or partial payment, an inquiry is automatically made to the credit agency with the data provided by the customer. If the customer is unknown there, the defendant rejects a business relationship with partial payment or on account and notifies the customer that he would be supplied via credit card or PayPal. If the customer is known, there are three ways of scoring with three different colors. If the color is red, the unsecure payment method is also rejected, if it is yellow, an employee of the defendant checks, and if it is green, the order is accepted. In the case of a yellow scoring, the employee himself inspects the database and decides whether and, if so, under what conditions the order will be released.<br />
[10] If a customer makes use of the option of requesting information, further information is obtained, for example the request for proof of income.<br />
[11] The plaintiff association desires - insofar as it is still the subject of the appeal proceedings - to oblige the defendant to refrain from using the following clauses in general terms and conditions or contract forms in business dealings with consumers:<br />
(Clause 1 = point 1.1. Of the judgment of the court of appeal): "From the second month onwards, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account offsetting, this results in an effective interest rate of 21.7% p.a. "<br />
[12] Furthermore, he seeks to oblige the defendant in accordance with § 28a KSchG to refrain from doing business with consumers in connection with consumer credit relationships,<br />
(Business practice 1 = point 2. of the judgment of the court of appeal): "To agree on partial payment purchases and / or partial payment options with a total credit of at least EUR 200 to pay consumers for goods purchased without checking the creditworthiness of the consumer on the basis of sufficient information, in particular without To obtain information on the income situation and / or financial situation of these consumers; ”as well as<br />
(Business practice 2 = point 4 of the judgment of the appellate court): "to carry out the credit check when lending on the basis of a scoring, without granting the consumer the right to express his own point of view and to contest his classification."<br />
[13] Furthermore, the plaintiff association applied for authorization to publish the judgment.<br />
[14] The defendant requested that the action be dismissed as well as authorization to publish the judgment dismissing the complaint, and, in the event that the action was upheld, the setting of a performance period of at least six months.<br />
[15] The first court granted the cease and desist and publication requests with regard to clauses 1 and 2 without setting a performance deadline and dismissed the further claim and the counter-publication request of the defendant.<br />
[16] The appeals court partially followed the appeals of both parties. It confirmed the admission of the action with regard to clauses 1 and 2, whereby it set a six-month performance period, and changed the judgment of the first court with regard to business practice 1 in the plaintiff's sense, also with a six-month performance period.<br />
[17] It allowed the appeal because it was partly about clauses or business practices that had not yet been assessed by the Supreme Court and that were important for a larger number of consumers.<br />
[18] In their opposing revisions, the parties in dispute request the amendment of the decision of the appellate court in the sense of a complete lodging of the complaint or a dismissal of the complaint, whereby the defendant does not contest the approval of the complaint with regard to the omission of clause 2 (point 1.2. Of the appeal judgment). In the alternative, the defendant files an application for annulment.<br />
[19] The plaintiff requests that the defendant's appeal be dismissed or, in the alternative, that it should not be followed. The defendant requests that the plaintiff's appeal be disregarded.<br />
[20] The revisions of both parties are permissible. The defendant's revision is partly justified.<br />
[21] The submissions of the parties as well as the reasons for the decision of the lower courts are presented when dealing with the disputed clause and the disputed business practices.<br />
<br />
<br />
Legal assessment<br />
[22] A. On the defendant's appeal:<br />
[23] The defendant's revision is permissible because the requirements for the credit check in accordance with Section 7 (1) VKrG require clarification. It is partially justified.<br />
[24] Regarding clause 1: "From the second month, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account offsetting, this results in an effective interest rate of 21.7% p.a. "<br />
[25] The plaintiff complains that the clause is not transparent because it is not pointed out that the defendant derives the right to charge compound interest during the year from the monthly capitalization. The clause is also grossly disadvantageous within the meaning of Section 879 Paragraph 3 ABGB, because the accounting period is shortened to one month in deviation from Section 355 Paragraph 2 UGB. The amount of the effective interest rate is grossly disadvantageous and violates § 934 ABGB. In addition, it is not evident that the effective interest rate results from the compound interest effect.<br />
[26] The defendant denies the claims. There was no lack of transparency because the effective annual interest rate was stated and it was clearly recognizable that the difference to the annual interest rate could only result from the compound interest effect (and not from the inclusion of processing fees or the like).<br />
[27] The lower courts forbade the clause because it violated the transparency requirement of Section 6 (3) KSchG. The creditor of a monetary claim can only demand compound interest according to Section 1000 (2) sentence 1 ABGB if the parties have expressly agreed to this. According to the case law, the agreement of the capitalization of interest during the year is not transparent if the user of the terms and conditions does not point out the resulting compound interest effect. The lack of transparency is also not eliminated by listing the monthly interest rate, the annual interest rate and the effective annual interest rate or by using the rate calculator, because the annual interest rate can also result from other cost factors such as commissions, costs of contract establishment, processing fees, etc., so that the average consumer can choose the difference between the annual interest rate and the effective annual interest rate does not have to infer the agreement of compound interest.<br />
[28] The revision is not justified.<br />
[29] 1.1. According to Section 1000 (2) sentence 1 ABGB, compound interest is due - as the appellate court has already correctly pointed out - only in the case of an "express" agreement between the parties. It is necessary that the compound interest is conditional, for which sufficiently clear conclusive explanations are sufficient (Perner in Schwimann / Kodek, ABGB4 § 1000 Rz 17 and Fn 50; Ertl in Fenyves / Kerschner / Vonkilch, Klang³ § 1000 ABGB Rz 15; Dullinger in Artmann , UGB³ § 355 margin no. 3). The agreement of compound interest in the General Terms and Conditions of the defendant must also meet the requirements of Section 6 (3) KSchG.<br />
[30] 1.2. According to the established case law of the Supreme Court, the reference to an account closing during the year or the reference to the fact that interest is "calculated, capitalized and charged" during the year is not sufficient to make the consumer realize that compound interest should also be charged. Such clauses were therefore regularly judged to be non-transparent within the meaning of Section 6 (3) KSchG (1 Ob 124 / 18v [Clause 17]; 9 Ob 11 / 18k [Clause 6]; 8 Ob 128 / 17g [Clauses 7 and 8]; 10 Ob 31 / 16f [Clause c]; 4 Ob 179 / 02f [Clause Z 38 Paragraph 1]; see RS0117273).<br />
[31] 1.3. The present clause does not expressly provide for an account closing during the year, but rather the "current account settlement" of the partial payment costs, which are specified as 1.65% per month (19.8% p.a.) of the outstanding balance; The effective interest rate of 21.7% p.a. resulting from "current account settlement" is also given.<br />
[32] 2.1. The current account agreement is regulated in Section 355 of the UGB. Section 355 (1) of the Austrian Commercial Code defines the current account agreement as an agreement with an entrepreneur with whom someone has a business relationship, that the mutual claims and services arising from the connection, plus interest, are invoiced and at regular intervals by offsetting and determining the amount for one or the other the other part of the resulting surplus will be compensated. According to Section 355, Paragraph 4, Clause 4 of the Austrian Commercial Code, anyone who is entitled to a surplus when closing the accounts can demand compound interest.<br />
[33] 2.2. If one or more features of the current account defined by law in Section 355 (1) UGB are missing, such as the entrepreneurial status of a part or the permanent business relationship, one speaks of an improper current account agreement to which the current account law can apply analogously (1 Ob 83 / 01i). For example, the analogous application of § 355 UGB was affirmed for the case of an agreement between non-entrepreneurs (1 Ob 83 / 01i; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 4).<br />
[34] 2.3. On the basis of the regulation of § 1000 Paragraph 2 Sentence 1 ABGB, it is assumed when an improper current account relationship is agreed that compound interest is only due if expressly agreed (within the meaning of § 1000 Paragraph 2 Sentence 1 ABGB) (cf. 1 Ob 83 / 01i; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 4; aM Dullinger in Artmann, UGB³ § 355 Rz 3).<br />
[35] 2.4. The current account must be based on a business relationship established for a certain period of time, which means that the repeated conclusion of transactions can be expected (Dullinger in Artmann, UGB³ § 355 Rz 4; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 5) . Whether a single purchase in installments can already meet this requirement (critical for assessing an installment credit as a current account relationship Dullinger in Artmann, UGB³ § 355 Rz 4) or whether the (qualified) business relationship required by § 355 (1) UGB is missing when concluding a single purchase in installments, so that there is at most an "improper" current account relationship does not have to be conclusively assessed in the present case:<br />
[36] 3.1. Because even under the assumption that the agreement of a "current account settlement" in the case of a hire purchase would already be directly subject to § 355 UGB, this would not change the fact that the clause to be assessed here is not clear and understandable for the consumer regarding the accrual of compound interest within the meaning of § 6 Paragraph 3 of the KSchG. For the economically inexperienced average customer of a mail order company, neither the use of the term "current account" nor the indication of the different interest rates results in the fact that a periodic determination of the outstanding invoice amount including capitalization of the "partial payment costs" and their (renewed) Interest takes place. This does not result from the difference between the annual interest rate and the effective annual interest rate disclosed in the clause. The appellate court has already correctly stated that such a difference can also have reasons other than the offsetting of compound interest (Section 510 (3) ZPO). In addition, the duration of the billing period of one month can only be deduced from the specification of a monthly interest rate for the installment costs. The fact that with the regulation of the "current account settlement" in truth only the monthly settlement of compound interest is to be effected is therefore not generally recognizable for the average consumer. Insofar as the revision argues that the effective annual interest rate can only exceed the stated annual interest rate because of the compound interest effect, because no other costs would flow into it, this circumstance is not immediately apparent to the consumer from the disputed clause.<br />
[37] 3.2. If it is further argued in the revision that the financial burden is easily recognizable for the consumer through the indication of the effective annual interest rate and through the instrument of the rate calculator, nothing can be gained from this for the defendant. If the effective agreement of compound interest is missing - due to a violation of the transparency requirement of § 6 Abs 3 KSchG - the defendant is not entitled to the specified effective interest rate and the total amount determined by the installment calculator.<br />
[38] The defendant's appeal against the prohibition of Clause 1 is therefore not justified.<br />
<br />
[39] Regarding business practice 1: The defendant's business practice of agreeing partial payment purchases and / or partial payment options with a total credit of at least EUR 200 to pay for the goods purchased by consumers from her is objected to, without the creditworthiness of the consumer based on sufficient To check information, in particular without obtaining information on the income situation and / or financial situation of these consumers.<br />
[40] The plaintiff sees a systematic violation of the obligation to carry out a credit check according to § 7 VKrG in the fact that the defendant does not collect any information about the consumer's income and other liabilities in the case of installment transactions. In response to the plaintiff's letter of warning, the defendant justified its high interest rate with the fact that no collateral had to be provided for the loans it had granted and no evidence of employment or regular cash inflow had to be provided. The database query and the analysis of previous purchasing behavior did not allow any conclusions to be drawn about income and no prognostic decision as to whether the consumer would be able to meet his payment obligations in full. The database query can be used to obtain information about the consumer's income and assets, but it cannot replace it.<br />
[41] The defendant counters this by saying that obtaining information from a database, specifically by making an inquiry to the specified credit bureau, fulfills the requirements of Section 7 of the VKrG. In any case, the entrepreneur does not have to approach the consumer. The scope of the investigation obligations depends on the individual case and is lower in the case of small goods loans than in the case of typical bank loans. The defendant allows partial payments for purchase prices between EUR 50 and EUR 4,000 with a term of no more than four years; the majority of the consumer loans granted are around the average amount of EUR 650.<br />
[42] The first court dismissed the request for an injunction aimed at the omission of business practice 1.<br />
[43] The appeals court granted the injunction. Legally, it discussed that the lender had to carry out the credit check on the basis of sufficient information. In order to assess the creditworthiness, the current income and liquid funds of the consumer should first be used and compared with the costs of the loan and the current repayment; a database query should only be carried out if this was additionally necessary.<br />
[44] In its appeal, the defendant asserts that there is no provision for prioritizing the procurement of information and that the credit check can be designed flexibly. Consumers' income and financial situation always show certain fluctuations and uncertainties, which have an impact especially in the case of low monthly payments, so that the information to be obtained from the consumer must be higher, the lower the loan amount. In such cases, however, obtaining detailed information is unusual and does not provide a more reliable statement about creditworthiness than the credit information obtained and the observation of ongoing consumer behavior. Obtaining information is therefore sufficient for small goods loans.<br />
[45] The appeal is justified.<br />
[46] 1.1. Anyone who violates a legal requirement or prohibition in business dealings with consumers in connection with consumer credit relationships and thereby affects the general interests of consumers can be sued for an injunction without prejudice to Section 28 (1) KSchG (Section 28a (1) KSchG).<br />
[47] 1.2. Section 28a KSchG extends the scope of representative actions to include illegal business practices by entrepreneurs in business dealings with consumers, limited to the contractual relationships and non-contractual legal relationships specified in Section 28a (1) KSchG (10 Ob 13 / 17k; 7 Ob 168 / 17g; Kathrein / Schoditsch in KBB6 § 28a KSchG margin no.1). The behavior complained of must also be of importance for a large number of contracts or non-contractual legal relationships, which is especially the case for illegal behavior in mass business (RS0121961). This is to effectively prevent any behavior found to be inadmissible under the law that has developed into a practice of the respective entrepreneur (6 Ob 228 / 16x).<br />
[48] 1.3. The right to cease and desist - including that according to § 28a KSchG (cf. 10 Ob 13 / 17k; 4 Ob 179 / 18d [Business Practice 2], etc.) - is substantiated by two elements: an obligation to cease and desist and the risk that this obligation to cease and desist is violated. If one of these elements is missing, there is no right to cease and desist (RS0037660).<br />
[49] 2.1. The subject of the claim for action and the verdict is always only the specific infringing act (RS0037478 [T2, T5]). However, it is permissible to describe the inadmissible behavior in a generalized way and to clarify it by means of "especially" listed individual bans. Even with such a more general version of the injunction, the verdict must cover the core of the infringing act (4 Ob 206 / 19a; 9 Ob 57 / 20b).<br />
[50] The claim is to be understood as it is meant by the plaintiff in conjunction with the claimant's account (RS0037440).<br />
[51] 2.2. The core of the business practice 1 complained of by the plaintiff consists in giving consumers the option of partial payment without obtaining information on income “and / or” assets for the purpose of checking creditworthiness. After the request for a judgment and the submission of the action in its entirety, the plaintiff association seeks a ban that is not restricted to specific groups of cases or the existence of specific circumstances; Rather, he takes the position that the information mentioned must always be obtained for the partial payment transactions offered by the defendant.<br />
[52] The defendant did not claim that it obtained information on the income situation or the assets of its prospective buyers before granting a partial payment option. Only when a consumer requests information about the reasons why he cannot use all payment methods from the defendant (i.e. after rejecting an “unsafe” payment method requested by the consumer) does the defendant request proof of income, for example.<br />
[53] 2.3. It must therefore be examined whether the defendant, by systematically granting consumers the option to pay in installments without obtaining information about their income and / or assets, violates a legal prohibition, specifically § 7 VKrG. The decisive factor is whether the obligation can be derived from Section 7 VKrG to always provide information about the income and / or the assets of the defendant in the case of partial payment transactions, as offered by the defendant, from a credited purchase price of EUR 200 (see Section 4 (1) VKrG) To catch up with prospective buyers.<br />
[54] It should be made clear in this context that the injunction does not simply cover the execution of the credit check without obtaining information about the income and / or assets of the prospective buyers, but only the procedure of granting consumers partial payment options without having obtained such information. The practice of refusing to allow partial payment without obtaining information about the income and / or asset situation is therefore not objected to.<br />
[55] 3.1. According to § 7 VKrG applicable to hire purchase contracts in accordance with § 25 Paragraph 1 VKrG (see Foglar-Deinhardstein in Fenyves / Kerschner / Vonkilch, Klang³ § 25 VKrG margin no. 69), the lender must check the creditworthiness of the consumer using sufficient information before concluding the credit agreement, which he - if necessary - demands from the consumer; if necessary, he must also obtain information from an available database (Section 7 (1) VKrG). If this check reveals considerable doubts about the ability of the consumer to fully fulfill his obligations under the credit agreement, the lender must inform the consumer of these concerns about his creditworthiness (Section 7 (2) VKrG).<br />
[56] With this, the obligation of the lender to assess the creditworthiness of the consumer in accordance with Article 8 Paragraph 1 of the Consumer Credit Directive (Directive 2008/48 / EC on consumer credit agreements) was implemented in Austrian law. According to Article 8 (1) of the Consumer Credit Directive, the member states ensure that, before concluding the credit agreement, the lender assesses the creditworthiness of the consumer on the basis of sufficient information that he may obtain from the consumer and, if necessary, on the basis of information from the database in question. Those Member States that legally oblige lenders to assess creditworthiness on the basis of a query in a corresponding database can retain this requirement.<br />
[57] 3.2. The obligation of the lender to assess the creditworthiness of the consumer in accordance with Article 8 Paragraph 1 of the Consumer Credit Directive is intended to protect consumers from irresponsible granting of credit that exceeds their financial capabilities and can lead to their insolvency (ECJ April 27, 2014, C- 565/12, LCL Le Crédit Lyonnais SA, ECLI: EU: C: 2014: 190, margin no. 42 f). In addition, the credit check prescribed by Union law is intended to serve the general interest in a functioning credit industry in the internal market (Recital 6, 7 Consumer Credit Directive; Pesek in Klang³ § 7 VKrG margin no. 1).<br />
[58] 3.3. According to Section 7 (1) VKrG and Article 8 (1) Consumer Credit Directive, the lender must determine the facts that are relevant for assessing creditworthiness (Pesek in Klang³, Section 7, margin no.27). As a means of information, in Section 7 (1) VKrG as well as in Art 8 Consumer Credit Directive, the gathering of information from the consumer and the gathering of information from an available database are mentioned.<br />
[59] The creditworthiness is not to be understood as the creditworthiness in the banking sense. Rather, it is about the assessment of whether the consumer will probably be able to meet his payment obligations from the loan agreement in full, without being pushed to the edge of his economic existence (ExplanationRV 650 BlgNR 24. GP 17; Pesek in Klang³ § 7 VKrG Rz 6 f; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law [2010] § 7 VKrG Rz 6 f; see Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 4 ff ).<br />
[60] 4.1. What content the information must have in order to be regarded as sufficient within the meaning of Section 7 (1) VKrG is not described in more detail by law.<br />
[61] 4.2. In the literature it is consistently stated that the regular (net) income of the consumer and his other liquid assets must be taken into account in the credit check (Pesek in Klang³ § 7 VKrG margin no.10; Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG margin no 9; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG margin no. 9; Dehn in Apathy / Iro / Koziol, Austrian bank contract law IV² [2012] margin no. 2/54). However, the inclusion of non-liquid assets in the creditworthiness check is disputed (for: Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 9; Pesek in Klang³ § 7 VKrG Rz 12; on the other hand: Wendehorst, What is creditworthiness? In Blaschek / Habersberger , Worthy of a loan? 29 f; Foglar-Deinhardstein, The credit check for consumer credit [2013] margin nos. 237 ff; Weissel, consumer credit: Inquiry obligations of the bank, RdW 2014, 176, 179; ders, The protection provided by § 7 VKrG under civil law: legal beneficence oder Irrweg, ZFR 2012, 208, 210; differentiating [between smaller consumer loans and loans for the creation of housing, which were also covered by § 7 VKrG up to the entry into force of the HIKrG on March 21, 2016] Zöchling-Jud in Wendehorst / Zöchling-Jud , Consumer credit law [2010] § 7 VKrG margin no. 10; Dehn in Apathy / Iro / Koziol, Austrian bank contract law IV² margin no. 2/55). The consumer's income and cash and cash equivalents as well as - depending on the legal opinion represented - other assets are to be compared with the regular burdens of the consumer (Pesek in Klang³ § 7 VKrG Rz 17; Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 10, 12; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG margin no.12).<br />
[62] 4.3. It is agreed that the extent of the lender's duty to investigate depends on the circumstances of the individual case, with regard to the amount of the loan value disbursed, the duration of the loan, the informative value and credibility of the information provided by the consumer as well as the existence or duration and intensity the business relationship between the lender and the consumer is important (Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 14; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG Rz 14; 8 Ob 76 / 16h).<br />
[63] 4.4. In this sense, Leupold / Ramharter argue for small (commodity) loans that the lender's exploration obligations are limited; In this context, they refer to information from databases and reject any further credit check that is incompatible with the goal of efficient markets (Leupold / Ramharter, The violation of the duty to warn of poor creditworthiness under the Consumer Credit Act, ÖBA 2011, 469, 486).<br />
[64] 4.5. The content of the "sufficient" information according to Section 7 (1) VKrG must also be specified depending on the circumstances of the individual case. Only in this way, with the help of the statutory general clause, can the legal obligations for the wide range of consumer loans covered by Section 7 (1) VKrG - which includes financial aid within the meaning of Section 25 (1) VKrG, up to large bank loans - be made possible.<br />
[65] 4.6. This interpretation is in line with the case law of the ECJ on Article 8 (1) of the Consumer Credit Directive.<br />
[66] In the case of CA Consumer Finance SA, the ECJ made it clear that the directive does not conclusively specify the information on the basis of which the lender has to assess the creditworthiness of the consumer, nor does it specify in more detail whether and how this information is to be checked . Rather, the lender has a margin of discretion when it comes to whether the information he has is sufficient to certify the creditworthiness of the loan applicant and whether he has to check this against other criteria. The lender must therefore assess in each case, taking into account the circumstances of the individual case, whether the information available to him by the loan applicant is relevant and sufficient. Whether the information is sufficient can vary depending on the circumstances of the conclusion of the credit agreement, the personal situation of the consumer or the credit volume provided for in the contract (ECJ December 18, 2014, C-449/13, CA Consumer Finance SA, ECLI: EU : C: 2014: 2464, margin no.36 f).<br />
[67] 4.7. The lender is therefore not required to obtain information on the income or financial situation of the consumer or on both aspects in addition to obtaining information from an external credit bureau in the case of small goods loans.<br />
[68] 5.1. According to the findings, the defendant obtains information from an external credit agency before granting partial payment options to new customers and limits the loan amount to EUR 500; for existing customers, it uses any negative credit information available in the group of companies. In addition, she uses the amount of the loan for her decision-making; In addition, there are other factors that are not related to the creditworthiness within the meaning of Section 7 (1) VKrG, such as the residential address.<br />
[69] 5.2. Particularly in the case of the small loans of goods from a loan amount of EUR 200 or more that are covered by the injunction, the consideration of existing negative creditworthiness information, as can be derived from the information available in the group of companies as well as from the information provided by the credit bureau, does not appear to be entirely unsuitable for credit checks. This is also not claimed by the plaintiff association. Especially in the case of very low loan amounts (from EUR 200) it is not evident that additional knowledge of the net income (at least, unless it is associated with a detailed survey of all, even minor financial burdens) necessarily enables a more reliable assessment than the query whether due to existing “negative creditworthiness information”, the collectability of even very small loan amounts must be called into question from the outset. The same considerations apply to the need to identify the consumer's realizable assets.<br />
[70] 5.3. Whether the business practice objected to by the plaintiff association, when granting partial payment options in addition to obtaining information from an external credit agency, not to obtain information about the income and / or asset situation of consumers, violates § 7 VKrG, cannot be answered in general, but depends on the circumstances of the case.<br />
[71] It cannot be ruled out that the partial payment options granted by the defendant exist in which it is necessary to obtain information about the income situation or the financial situation of the consumer or about both. However, the request for an injunction does not focus on more specific cases, but aims to forbid the defendant, in all cases, from agreeing on partial payment purchases or partial payment options with consumers with a total credit of at least EUR 200, without information on the income situation and / or their financial position to catch up.<br />
[72] However, this request is not justified because of the discretion granted to the lender in the credit check. The revision is therefore justified insofar as it is directed against the prohibition of the objected business practice 1. The judgment of the first court had to be restored to this extent.<br />
<br />
[73] B. On the plaintiff's appeal:<br />
[74] The appeal by the plaintiff is permissible because the active legitimation of the plaintiff association according to §§ 28a, 29 KSchG to assert violations of the GDPR has not been conclusively clarified.<br />
[75] Regarding the performance period (Clause 1):<br />
[76] The appellate court set the deadline for the omission of the use and the appeal to the clause 1 because of the necessary organizational measures for the EDP conversion with six months. Such a necessity is understandable in the present case, in which the inadmissible clause also affects the settlement of all ongoing partial payment contracts (see RS0041265 [T12]). The performance deadline set by the court of appeal is therefore not objectionable in the present individual case.<br />
[77] Regarding business practice 2:<br />
[78] The defendant's business practice of carrying out the credit check when lending is based on a scoring without giving the consumer the right to express his own point of view and contest his classification is objected to.<br />
[79] With this request for an injunction, the plaintiff did not object to the "internal scoring" practiced by the defendant, but to the decision based on the classification made by the external credit agency. The procedure violates Art 22 GDPR for reasons explained in detail.<br />
[80] The defendant objected that the plaintiff association was not granted any active legitimation regarding data protection information obligations. The alleged violation of Art 22 GDPR did not exist.<br />
[81] The first court dismissed the claim because the defendant's approach was in accordance with Section 7 VKrG and Article 22 GDPR.<br />
[82] The appellate court confirmed the dismissal of the action on the grounds that the plaintiff association lacks the active legitimation to assert data protection violations.<br />
[83] As a significant legal issue, the appeal claims that the appellate court disregarded the fact that the systematic violation of Art 22 GDPR occurred in connection with consumer credit relationships, so that the collective action according to § 28a KSchG was opened.<br />
[84] 1. In proceedings 6 Ob 77 / 20x, the Supreme Court submitted the following question to the European Court of Justice for a preliminary ruling (RS0133358):<br />
Are the regulations in Chapter VIII, in particular in Art. 80 Paragraphs 1 and 2 and Art. 84 Paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons during processing personal data, on the free movement of data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation, OJ L 119/1 of May 4, 2016, p. 1; hereinafter "GDPR") contrary to national regulations that - in addition to the powers of intervention of the supervisory authorities responsible for monitoring and enforcement of the regulation and the legal protection options of the data subjects - on the one hand, to grant competitors and, on the other hand, the authority to associations, institutions and chambers authorized under national law, regardless of the violation of specific rights of individual data subjects, because of violations of the GDPR and without the instruction of a person concerned against the infringer by way of an action before the civil courts under the Ges Prohibition of engaging in unfair business practices or violating consumer protection law or prohibiting the use of ineffective general terms and conditions?<br />
[85] 2.1. The plaintiff in the present proceedings is the same association authorized to take legal action under § 29 KSchG who intervenes on 6 Ob 77 / 20x - there based on § 28 KSchG. In the present proceedings, based on § 28a KSchG, he seeks the omission of a business practice used by the defendant in connection with consumer credit relationships, which violates the GDPR.<br />
[86] 2.2. The question of whether the plaintiff is legitimized to assert violations of the GDPR by way of a representative action according to § 29 KSchG is also relevant for the decision of the present legal dispute, because the question of whether the Union legislature with the legal protection instruments provided for in the GDPR is possibly a wanted to create a final regulation for the enforcement of data protection violations, also for lawsuits against business practices that are in connection with the legal relationships mentioned in § 28a KSchG, is essential for the decision.<br />
[87] For example, the Supreme Court referred its request for a preliminary ruling on 6 Ob 77 / 20x also to the representative action "from the point of view of a violation of a consumer protection law" - i.e. in accordance with § 28a KSchG - (cf. . 2020, I ZR 186/17 [Rz 47, 57 ff]).<br />
[88] 3. The Supreme Court of Justice has to assume a general effect of the preliminary ruling of the European Court of Justice and to apply this also for other than the immediate case. For reasons of process economy, the present procedure must therefore be interrupted (RS0110583).<br />
<br />
[89] C. Regarding the publication requests:<br />
[90] Because of the interruption of the proceedings with regard to the request for an injunction regarding business practice 2 (violation of the GDPR), the requests for publication made by both parties cannot be conclusively decided. A partial judgment is not appropriate here because further publication after the final judgment is available would entail additional costs that would not be incurred in the case of joint publication (Ciresa, Handbuch der Judgment Publication4 [2017] margin no. 4.28; RS0079937 [T1]).<br />
<br />
[91] D. Decision on costs:<br />
[92] The reservation of costs is based on Section 52 (4) ZPO.<br />
<br />
<br />
European Case Law Identifier<br />
ECLI: AT: OGH0002: 2021: 0060OB00048.21H.0806.000<br />
<br />
<br />
</pre></div>JShttps://gdprhub.eu/index.php?title=OGH_-_6Ob48/21h&diff=20308OGH - 6Ob48/21h2021-10-01T11:52:42Z<p>JS: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=OGH<br />
|Court_With_Country=OGH (Austria)<br />
<br />
|Case_Number_Name=6Ob48/21h<br />
|ECLI=ECLI:AT:OGH0002:2021:0060OB00048.21H.0806.000<br />
<br />
|Original_Source_Name_1=RIS<br />
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=4530863f-3472-44c4-9677-4f6b4edaecdb&Position=1&Abfrage=Justiz&Gericht=&Rechtssatznummer=&Rechtssatz=&Fundstelle=&AenderungenSeit=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=DSGVO&Dokumentnummer=JJT_20210806_OGH0002_0060OB00048_21H0000_000<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=06.08.2021<br />
|Date_Published=22.09.2021<br />
|Year=2021<br />
<br />
|GDPR_Article_1=Article 80 GDPR<br />
|GDPR_Article_Link_1=Article 80 GDPR<br />
<br />
<br />
|National_Law_Name_1=§ 28a KSchG<br />
|National_Law_Link_1=https://www.jusline.at/gesetz/kschg/paragraf/28a<br />
|National_Law_Name_2=§ 29 KSchG<br />
|National_Law_Link_2=https://www.jusline.at/gesetz/kschg/paragraf/29<br />
<br />
|Party_Name_1=Verein für Konsumenten Information (VKI)<br />
|Party_Link_1=https://verbraucherrecht.at/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Pending appeal<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=janniks<br />
|<br />
}}<br />
<br />
The Austrian Supreme Court decided to put a case on hold until the CJEU determined whether the GDPR precludes national legislation that grants consumer organisations the legitimacy to take legal action without a mandate and a violation of the rights of a particular individual.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The plaintiff (the Austrian association Verein für Konsumenten Information) sued the defendant (an online shopping platform operating throughout Austria) over several business practices, terms and conditions they found in violation with consumer protection law and the GDPR. More precisely, the association criticized several non-transparent contractual clauses on interests and creditworthiness checks as well as the defendant making decisions based on classifications by external credit scoring agencies in violation of [[Article 22 GDPR|Article 22 GDPR]].<br />
<br />
The defendant argued that the association had no right to take legal action under applicable data protection law. In this regard, the appealing court already decided that the association lacks the legitimacy to assert data protection violations.<br />
<br />
=== Holding ===<br />
The OGH decided that the previous court failed to take into account that the systematic infringement of [[Article 22 GDPR|Article 22 GDPR]] in connection with consumer credit ratings could in fact allow the association to take legal action under the GDPR. The court decided that the appeal is admissible because the legitimacy of the plaintiffs associations under §§ 28 and 29 of the Austrian Consumer Protection Act (Konsumentenschutzgesetz - KSchG) is not ultimately clarified. The court refers to a parallel case of the plaintiff currently pending at the CJEU as part of an preliminary ruling procedure.<br />
<br />
In this regard, the CJEU has to decide on whether the GDPR precludes national rules from granting associations the power to take legal action against unfair business practices or violations of consumer protection laws without a mandate and irrespective of the violation of specific rights of individual data subjects (see [[OGH - 6Ob77/20x|here]]). Until this decision is delivered by the CJEU the present procedure is put on hold.<br />
== Comment ==<br />
For further information on the corresponding preliminary reference see [[OGH - 6Ob77/20x|here]].<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
<br />
court<br />
Supreme Court<br />
<br />
<br />
Decision date<br />
08/06/2021<br />
<br />
<br />
Business number<br />
6Ob48 / 21h<br />
<br />
<br />
head<br />
The Supreme Court, as a court of appeal by the Senate President Hon.-Prof. Dr. Gitschthaler as chairman, the court councilors Univ.-Prof. Dr. Kodek and Dr. Nowotny, the court councilor Dr. Faber and Hofrat Mag. Pertmayr as further judges in the case of the plaintiff, Verein für Konsumenteninformation, 1060 Vienna, Linke Wienzeile 18, represented by Kosesnik-Wehrle & Langer Rechtsanwälte KG in Vienna, against the defendant U ***** GmbH , *****, represented by Pressl Endl Heinrich Bamberger Rechtsanwälte GmbH in Salzburg, for omission and publication of the judgment, on the appeals by both parties against the judgment of the Linz Higher Regional Court as the court of appeal of November 26, 2020, GZ 3 R 128 / 20v-15 , with which the judgment of the Salzburg Regional Court of August 14, 2020, GZ 4 Cg 67 / 19w-9, was partially amended, rightly recognized in a closed session and decided:<br />
<br />
<br />
Saying<br />
<br />
The appeal of the defendant, insofar as it is against the cease-and-desist clause 1.1. of the appeal judgment (Clause 1), not given.<br />
Insofar as it is directed against the omission requirement item 2 of the appeal judgment (business practice 1), the appeal of the defendant will be followed and the dismissing decision of the first court (there item 3.1. Of the judgment) will be restored.<br />
With regard to point 4 of the judgment of the appellate court, the proceedings will be interrupted until the decision of the European Court of Justice on the request for a preliminary ruling made by the Supreme Court on November 25, 2020 re 6 Ob 77 / 20x. Once the preliminary ruling has been received, the proceedings will be continued ex officio.<br />
The decision on the request of the plaintiff to authorize it to publish the plaintiff's verdict, as well as the request of the defendant to authorize it to publish the dismissing verdict, are reserved for the final decision.<br />
The decision on the costs of the appeal proceedings is reserved for the final decision.<br />
<br />
<br />
text<br />
Reasons for the decision:<br />
[1] The plaintiff is an association entitled to sue within the meaning of § 29 KSchG.<br />
[2] The defendant is a mail order company operating throughout Austria, which continuously concludes contracts with consumers. It bases its contracts on general terms and conditions, which include the following clauses:<br />
"9. Payment:<br />
What payment options do you have for your order?<br />
9.1. Purchase on invoice:<br />
In the case of purchase on account (payment by bank transfer), the invoice amount is due within 14 days of receipt of the goods.<br />
9.2. Partial payment:<br />
With us, you have the option of making partial payments if you have the appropriate creditworthiness and an order value of up to EUR 4,000.00. You can find more information, in particular about the amount and number of installments, at www.u *****. At / part-payment.<br />
In the case of an advance payment, the amount of the agreed installments is reduced and the total burden is lower. The balance remaining after the advance payment can be paid in partial amounts. For the 1st month after purchase, no installment costs are charged. From the 2nd month onwards, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account settlement, this results in an effective interest rate of 21.7% p.a. By sending you an account statement by post or email, we will inform you about your current account balance on a monthly basis. You are deemed to have approved the account balance if you do not object to it within two months of receipt.<br />
9.3. Credit card:<br />
You can pay with us online by credit card. Simply select credit card under payment method. We accept Mastercard, Visa, Diners Club and Discover (no prepaid credit cards). In addition to the credit card company, the card number and the period of validity, we need the check digit of your credit card. The check digit is a three-digit number on the back of your credit card that ensures payment security on the Internet.<br />
9.4. Advance payment:<br />
We reserve the right to make the delivery of the goods dependent on an advance payment.<br />
9.5. PayPal:<br />
[...] "<br />
[3] Via the link “www.u *****. At / part-payment” you get to an installment calculator. There, the customer can enter the term of the installment payments within a specified range. The maximum term is 48 months, the minimum monthly rate is EUR 10. When you enter the item price and the desired term, the system calculates the installment surcharge, the monthly minimum installment, the amount of the last installment, the final installment price and indicates the effective annual interest rate.<br />
[4] The information on the credit check can be found in the data protection information of the defendant (www.u *****. At / datenschutz), which has the following content in excerpts:<br />
"3.2.2.2. Credit checks:<br />
If you have selected a so-called insecure payment method (purchase on account or installment purchase) when placing an order, the following applies:<br />
U ***** and other mail order companies of the O ***** - Group basically give their customers the opportunity to purchase goods using unsafe payment methods (e.g. purchase on account, purchase on finance).<br />
[...]<br />
Companies that generally allow their customers to use unsafe payment methods have a legitimate interest in protecting themselves as well as possible from the occurrence of payment defaults. This is done, among other things, by checking the creditworthiness of the customer before granting the option of using insecure payment methods. As part of this check, we are entitled to ask U ***** GmbH whether they have received negative credit information about the respective customers from the other mail-order companies of the O ***** Group. Furthermore, we are entitled to transmit negative creditworthiness information on the respective customers to U ***** GmbH, which in turn can provide information to the above-mentioned other mail-order companies of the O ***** Group before these other mail-order companies give the customer the option of using unsafe payment methods.<br />
The creditworthiness information is information about outstanding payment claims and information from which there is a direct risk of payment default (e.g. insolvency, debt counseling, deferral due to insolvency). Before we transmit negative information about outstanding payment claims to U ***** GmbH, the customers concerned are informed of the possibility of transmission on a reminder. We are also entitled to transmit information about extremely atypical order processes (e.g. simultaneous ordering of a large number of goods to the same address using different customer accounts) to U ***** GmbH and to request such information from U ***** GmbH. This is to avoid payment defaults and to protect our customers from misuse of their accounts or their identity.<br />
In cases in which a customer wants to order with an insecure method of payment, we are entitled to use information received as part of the order to calculate a probability of default (internal scoring). The calculation of the failure probability by means of the internal scoring is based on a recognized mathematical statistical procedure. The data used as part of the internal scoring result in particular from a combination of the following data categories (not exhaustive): address data, age, desired payment conditions, order method and product range groups. As part of the internal scoring, only data that the customer has given us is used. On the basis of the named data categories, conclusions can be drawn about the probability of default on payment due to the mathematical statistical procedure used. For example, a certain place of residence of the person placing the order, combined with a certain category of goods, can lead to an increased probability of default and thus a restriction on the payment method. There is no payment type restriction based solely on the place of residence of the person placing the order. In addition, it has been statistically proven, for example, that there is a lower risk of payment default when using a chargeable e-mail provider than is the case when using a free provider. As part of the examination of whether an unsafe method of payment (installment / purchase on account) can be granted, we are also entitled to obtain credit information about you from an external credit agency. We work with the following credit agency C ***** GmbH, *****.<br />
For the purpose of calling up creditworthiness information, the following data is transmitted to the external credit agency: first name, last name, postal address, date of birth and, in the event of default in payment, the outstanding balance. The data mentioned can also be transmitted to C ***** GmbH, ***** for the purpose of personal and address validation and for fraud prevention (see also the following point).<br />
As part of the credit check, we can use an automated process to decide whether you will be given the desired unsecure payment method (installment / purchase on account). For example, when a negative credit report is sent by a credit agency or when an insufficient score is calculated as part of the internal scoring, the desired payment method can be automatically rejected. You can assert the right to us to manually review the automated decision. In addition, you have the right to express your own point of view and the right to contest the decision.<br />
The processing of your data as part of the credit check is based on Article 6 Paragraph 1b GDPR and Article 6 Paragraph 1f GDPR. We basically have a legitimate interest in carrying out a credit check when you select an unsafe payment method (installment / purchase on account). "<br />
[5] Under the heading “Data protection notice” and the text “Information on payment method restrictions: You would like to know why you cannot use all payment methods with us? We will be happy to provide you with information here. ", The customer arrives at a link with the title" Request information ".<br />
[6] Over 90% of the orders placed with the defendant are made online, the remaining 10% by telephone. The average order value is EUR 650.<br />
[7] In the case of an online order, the payment method "purchase on account" is preset. If a customer wants partial payment, he has to change the payment option himself.<br />
[8] In the case of an initial order, the defendant limits the order value to EUR 500 in the case of an installment purchase or purchase on account; this limit is gradually increased for subsequent orders if there have been no defaults in payment.<br />
[9] In the case of a new customer who orders on open account or partial payment, an inquiry is automatically made to the credit agency with the data provided by the customer. If the customer is unknown there, the defendant rejects a business relationship with partial payment or on account and notifies the customer that he would be supplied via credit card or PayPal. If the customer is known, there are three ways of scoring with three different colors. If the color is red, the unsecure payment method is also rejected, if it is yellow, an employee of the defendant checks, and if it is green, the order is accepted. In the case of a yellow scoring, the employee himself inspects the database and decides whether and, if so, under what conditions the order will be released.<br />
[10] If a customer makes use of the option of requesting information, further information is obtained, for example the request for proof of income.<br />
[11] The plaintiff association desires - insofar as it is still the subject of the appeal proceedings - to oblige the defendant to refrain from using the following clauses in general terms and conditions or contract forms in business dealings with consumers:<br />
(Clause 1 = point 1.1. Of the judgment of the court of appeal): "From the second month onwards, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account offsetting, this results in an effective interest rate of 21.7% p.a. "<br />
[12] Furthermore, he seeks to oblige the defendant in accordance with § 28a KSchG to refrain from doing business with consumers in connection with consumer credit relationships,<br />
(Business practice 1 = point 2. of the judgment of the court of appeal): "To agree on partial payment purchases and / or partial payment options with a total credit of at least EUR 200 to pay consumers for goods purchased without checking the creditworthiness of the consumer on the basis of sufficient information, in particular without To obtain information on the income situation and / or financial situation of these consumers; ”as well as<br />
(Business practice 2 = point 4 of the judgment of the appellate court): "to carry out the credit check when lending on the basis of a scoring, without granting the consumer the right to express his own point of view and to contest his classification."<br />
[13] Furthermore, the plaintiff association applied for authorization to publish the judgment.<br />
[14] The defendant requested that the action be dismissed as well as authorization to publish the judgment dismissing the complaint, and, in the event that the action was upheld, the setting of a performance period of at least six months.<br />
[15] The first court granted the cease and desist and publication requests with regard to clauses 1 and 2 without setting a performance deadline and dismissed the further claim and the counter-publication request of the defendant.<br />
[16] The appeals court partially followed the appeals of both parties. It confirmed the admission of the action with regard to clauses 1 and 2, whereby it set a six-month performance period, and changed the judgment of the first court with regard to business practice 1 in the plaintiff's sense, also with a six-month performance period.<br />
[17] It allowed the appeal because it was partly about clauses or business practices that had not yet been assessed by the Supreme Court and that were important for a larger number of consumers.<br />
[18] In their opposing revisions, the parties in dispute request the amendment of the decision of the appellate court in the sense of a complete lodging of the complaint or a dismissal of the complaint, whereby the defendant does not contest the approval of the complaint with regard to the omission of clause 2 (point 1.2. Of the appeal judgment). In the alternative, the defendant files an application for annulment.<br />
[19] The plaintiff requests that the defendant's appeal be dismissed or, in the alternative, that it should not be followed. The defendant requests that the plaintiff's appeal be disregarded.<br />
[20] The revisions of both parties are permissible. The defendant's revision is partly justified.<br />
[21] The submissions of the parties as well as the reasons for the decision of the lower courts are presented when dealing with the disputed clause and the disputed business practices.<br />
<br />
<br />
Legal assessment<br />
[22] A. On the defendant's appeal:<br />
[23] The defendant's revision is permissible because the requirements for the credit check in accordance with Section 7 (1) VKrG require clarification. It is partially justified.<br />
[24] Regarding clause 1: "From the second month, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account offsetting, this results in an effective interest rate of 21.7% p.a. "<br />
[25] The plaintiff complains that the clause is not transparent because it is not pointed out that the defendant derives the right to charge compound interest during the year from the monthly capitalization. The clause is also grossly disadvantageous within the meaning of Section 879 Paragraph 3 ABGB, because the accounting period is shortened to one month in deviation from Section 355 Paragraph 2 UGB. The amount of the effective interest rate is grossly disadvantageous and violates § 934 ABGB. In addition, it is not evident that the effective interest rate results from the compound interest effect.<br />
[26] The defendant denies the claims. There was no lack of transparency because the effective annual interest rate was stated and it was clearly recognizable that the difference to the annual interest rate could only result from the compound interest effect (and not from the inclusion of processing fees or the like).<br />
[27] The lower courts forbade the clause because it violated the transparency requirement of Section 6 (3) KSchG. The creditor of a monetary claim can only demand compound interest according to Section 1000 (2) sentence 1 ABGB if the parties have expressly agreed to this. According to the case law, the agreement of the capitalization of interest during the year is not transparent if the user of the terms and conditions does not point out the resulting compound interest effect. The lack of transparency is also not eliminated by listing the monthly interest rate, the annual interest rate and the effective annual interest rate or by using the rate calculator, because the annual interest rate can also result from other cost factors such as commissions, costs of contract establishment, processing fees, etc., so that the average consumer can choose the difference between the annual interest rate and the effective annual interest rate does not have to infer the agreement of compound interest.<br />
[28] The revision is not justified.<br />
[29] 1.1. According to Section 1000 (2) sentence 1 ABGB, compound interest is due - as the appellate court has already correctly pointed out - only in the case of an "express" agreement between the parties. It is necessary that the compound interest is conditional, for which sufficiently clear conclusive explanations are sufficient (Perner in Schwimann / Kodek, ABGB4 § 1000 Rz 17 and Fn 50; Ertl in Fenyves / Kerschner / Vonkilch, Klang³ § 1000 ABGB Rz 15; Dullinger in Artmann , UGB³ § 355 margin no. 3). The agreement of compound interest in the General Terms and Conditions of the defendant must also meet the requirements of Section 6 (3) KSchG.<br />
[30] 1.2. According to the established case law of the Supreme Court, the reference to an account closing during the year or the reference to the fact that interest is "calculated, capitalized and charged" during the year is not sufficient to make the consumer realize that compound interest should also be charged. Such clauses were therefore regularly judged to be non-transparent within the meaning of Section 6 (3) KSchG (1 Ob 124 / 18v [Clause 17]; 9 Ob 11 / 18k [Clause 6]; 8 Ob 128 / 17g [Clauses 7 and 8]; 10 Ob 31 / 16f [Clause c]; 4 Ob 179 / 02f [Clause Z 38 Paragraph 1]; see RS0117273).<br />
[31] 1.3. The present clause does not expressly provide for an account closing during the year, but rather the "current account settlement" of the partial payment costs, which are specified as 1.65% per month (19.8% p.a.) of the outstanding balance; The effective interest rate of 21.7% p.a. resulting from "current account settlement" is also given.<br />
[32] 2.1. The current account agreement is regulated in Section 355 of the UGB. Section 355 (1) of the Austrian Commercial Code defines the current account agreement as an agreement with an entrepreneur with whom someone has a business relationship, that the mutual claims and services arising from the connection, plus interest, are invoiced and at regular intervals by offsetting and determining the amount for one or the other the other part of the resulting surplus will be compensated. According to Section 355, Paragraph 4, Clause 4 of the Austrian Commercial Code, anyone who is entitled to a surplus when closing the accounts can demand compound interest.<br />
[33] 2.2. If one or more features of the current account defined by law in Section 355 (1) UGB are missing, such as the entrepreneurial status of a part or the permanent business relationship, one speaks of an improper current account agreement to which the current account law can apply analogously (1 Ob 83 / 01i). For example, the analogous application of § 355 UGB was affirmed for the case of an agreement between non-entrepreneurs (1 Ob 83 / 01i; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 4).<br />
[34] 2.3. On the basis of the regulation of § 1000 Paragraph 2 Sentence 1 ABGB, it is assumed when an improper current account relationship is agreed that compound interest is only due if expressly agreed (within the meaning of § 1000 Paragraph 2 Sentence 1 ABGB) (cf. 1 Ob 83 / 01i; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 4; aM Dullinger in Artmann, UGB³ § 355 Rz 3).<br />
[35] 2.4. The current account must be based on a business relationship established for a certain period of time, which means that the repeated conclusion of transactions can be expected (Dullinger in Artmann, UGB³ § 355 Rz 4; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 5) . Whether a single purchase in installments can already meet this requirement (critical for assessing an installment credit as a current account relationship Dullinger in Artmann, UGB³ § 355 Rz 4) or whether the (qualified) business relationship required by § 355 (1) UGB is missing when concluding a single purchase in installments, so that there is at most an "improper" current account relationship does not have to be conclusively assessed in the present case:<br />
[36] 3.1. Because even under the assumption that the agreement of a "current account settlement" in the case of a hire purchase would already be directly subject to § 355 UGB, this would not change the fact that the clause to be assessed here is not clear and understandable for the consumer regarding the accrual of compound interest within the meaning of § 6 Paragraph 3 of the KSchG. For the economically inexperienced average customer of a mail order company, neither the use of the term "current account" nor the indication of the different interest rates results in the fact that a periodic determination of the outstanding invoice amount including capitalization of the "partial payment costs" and their (renewed) Interest takes place. This does not result from the difference between the annual interest rate and the effective annual interest rate disclosed in the clause. The appellate court has already correctly stated that such a difference can also have reasons other than the offsetting of compound interest (Section 510 (3) ZPO). In addition, the duration of the billing period of one month can only be deduced from the specification of a monthly interest rate for the installment costs. The fact that with the regulation of the "current account settlement" in truth only the monthly settlement of compound interest is to be effected is therefore not generally recognizable for the average consumer. Insofar as the revision argues that the effective annual interest rate can only exceed the stated annual interest rate because of the compound interest effect, because no other costs would flow into it, this circumstance is not immediately apparent to the consumer from the disputed clause.<br />
[37] 3.2. If it is further argued in the revision that the financial burden is easily recognizable for the consumer through the indication of the effective annual interest rate and through the instrument of the rate calculator, nothing can be gained from this for the defendant. If the effective agreement of compound interest is missing - due to a violation of the transparency requirement of § 6 Abs 3 KSchG - the defendant is not entitled to the specified effective interest rate and the total amount determined by the installment calculator.<br />
[38] The defendant's appeal against the prohibition of Clause 1 is therefore not justified.<br />
<br />
[39] Regarding business practice 1: The defendant's business practice of agreeing partial payment purchases and / or partial payment options with a total credit of at least EUR 200 to pay for the goods purchased by consumers from her is objected to, without the creditworthiness of the consumer based on sufficient To check information, in particular without obtaining information on the income situation and / or financial situation of these consumers.<br />
[40] The plaintiff sees a systematic violation of the obligation to carry out a credit check according to § 7 VKrG in the fact that the defendant does not collect any information about the consumer's income and other liabilities in the case of installment transactions. In response to the plaintiff's letter of warning, the defendant justified its high interest rate with the fact that no collateral had to be provided for the loans it had granted and no evidence of employment or regular cash inflow had to be provided. The database query and the analysis of previous purchasing behavior did not allow any conclusions to be drawn about income and no prognostic decision as to whether the consumer would be able to meet his payment obligations in full. The database query can be used to obtain information about the consumer's income and assets, but it cannot replace it.<br />
[41] The defendant counters this by saying that obtaining information from a database, specifically by making an inquiry to the specified credit bureau, fulfills the requirements of Section 7 of the VKrG. In any case, the entrepreneur does not have to approach the consumer. The scope of the investigation obligations depends on the individual case and is lower in the case of small goods loans than in the case of typical bank loans. The defendant allows partial payments for purchase prices between EUR 50 and EUR 4,000 with a term of no more than four years; the majority of the consumer loans granted are around the average amount of EUR 650.<br />
[42] The first court dismissed the request for an injunction aimed at the omission of business practice 1.<br />
[43] The appeals court granted the injunction. Legally, it discussed that the lender had to carry out the credit check on the basis of sufficient information. In order to assess the creditworthiness, the current income and liquid funds of the consumer should first be used and compared with the costs of the loan and the current repayment; a database query should only be carried out if this was additionally necessary.<br />
[44] In its appeal, the defendant asserts that there is no provision for prioritizing the procurement of information and that the credit check can be designed flexibly. Consumers' income and financial situation always show certain fluctuations and uncertainties, which have an impact especially in the case of low monthly payments, so that the information to be obtained from the consumer must be higher, the lower the loan amount. In such cases, however, obtaining detailed information is unusual and does not provide a more reliable statement about creditworthiness than the credit information obtained and the observation of ongoing consumer behavior. Obtaining information is therefore sufficient for small goods loans.<br />
[45] The appeal is justified.<br />
[46] 1.1. Anyone who violates a legal requirement or prohibition in business dealings with consumers in connection with consumer credit relationships and thereby affects the general interests of consumers can be sued for an injunction without prejudice to Section 28 (1) KSchG (Section 28a (1) KSchG).<br />
[47] 1.2. Section 28a KSchG extends the scope of representative actions to include illegal business practices by entrepreneurs in business dealings with consumers, limited to the contractual relationships and non-contractual legal relationships specified in Section 28a (1) KSchG (10 Ob 13 / 17k; 7 Ob 168 / 17g; Kathrein / Schoditsch in KBB6 § 28a KSchG margin no.1). The behavior complained of must also be of importance for a large number of contracts or non-contractual legal relationships, which is especially the case for illegal behavior in mass business (RS0121961). This is to effectively prevent any behavior found to be inadmissible under the law that has developed into a practice of the respective entrepreneur (6 Ob 228 / 16x).<br />
[48] 1.3. The right to cease and desist - including that according to § 28a KSchG (cf. 10 Ob 13 / 17k; 4 Ob 179 / 18d [Business Practice 2], etc.) - is substantiated by two elements: an obligation to cease and desist and the risk that this obligation to cease and desist is violated. If one of these elements is missing, there is no right to cease and desist (RS0037660).<br />
[49] 2.1. The subject of the claim for action and the verdict is always only the specific infringing act (RS0037478 [T2, T5]). However, it is permissible to describe the inadmissible behavior in a generalized way and to clarify it by means of "especially" listed individual bans. Even with such a more general version of the injunction, the verdict must cover the core of the infringing act (4 Ob 206 / 19a; 9 Ob 57 / 20b).<br />
[50] The claim is to be understood as it is meant by the plaintiff in conjunction with the claimant's account (RS0037440).<br />
[51] 2.2. The core of the business practice 1 complained of by the plaintiff consists in giving consumers the option of partial payment without obtaining information on income “and / or” assets for the purpose of checking creditworthiness. After the request for a judgment and the submission of the action in its entirety, the plaintiff association seeks a ban that is not restricted to specific groups of cases or the existence of specific circumstances; Rather, he takes the position that the information mentioned must always be obtained for the partial payment transactions offered by the defendant.<br />
[52] The defendant did not claim that it obtained information on the income situation or the assets of its prospective buyers before granting a partial payment option. Only when a consumer requests information about the reasons why he cannot use all payment methods from the defendant (i.e. after rejecting an “unsafe” payment method requested by the consumer) does the defendant request proof of income, for example.<br />
[53] 2.3. It must therefore be examined whether the defendant, by systematically granting consumers the option to pay in installments without obtaining information about their income and / or assets, violates a legal prohibition, specifically § 7 VKrG. The decisive factor is whether the obligation can be derived from Section 7 VKrG to always provide information about the income and / or the assets of the defendant in the case of partial payment transactions, as offered by the defendant, from a credited purchase price of EUR 200 (see Section 4 (1) VKrG) To catch up with prospective buyers.<br />
[54] It should be made clear in this context that the injunction does not simply cover the execution of the credit check without obtaining information about the income and / or assets of the prospective buyers, but only the procedure of granting consumers partial payment options without having obtained such information. The practice of refusing to allow partial payment without obtaining information about the income and / or asset situation is therefore not objected to.<br />
[55] 3.1. According to § 7 VKrG applicable to hire purchase contracts in accordance with § 25 Paragraph 1 VKrG (see Foglar-Deinhardstein in Fenyves / Kerschner / Vonkilch, Klang³ § 25 VKrG margin no. 69), the lender must check the creditworthiness of the consumer using sufficient information before concluding the credit agreement, which he - if necessary - demands from the consumer; if necessary, he must also obtain information from an available database (Section 7 (1) VKrG). If this check reveals considerable doubts about the ability of the consumer to fully fulfill his obligations under the credit agreement, the lender must inform the consumer of these concerns about his creditworthiness (Section 7 (2) VKrG).<br />
[56] With this, the obligation of the lender to assess the creditworthiness of the consumer in accordance with Article 8 Paragraph 1 of the Consumer Credit Directive (Directive 2008/48 / EC on consumer credit agreements) was implemented in Austrian law. According to Article 8 (1) of the Consumer Credit Directive, the member states ensure that, before concluding the credit agreement, the lender assesses the creditworthiness of the consumer on the basis of sufficient information that he may obtain from the consumer and, if necessary, on the basis of information from the database in question. Those Member States that legally oblige lenders to assess creditworthiness on the basis of a query in a corresponding database can retain this requirement.<br />
[57] 3.2. The obligation of the lender to assess the creditworthiness of the consumer in accordance with Article 8 Paragraph 1 of the Consumer Credit Directive is intended to protect consumers from irresponsible granting of credit that exceeds their financial capabilities and can lead to their insolvency (ECJ April 27, 2014, C- 565/12, LCL Le Crédit Lyonnais SA, ECLI: EU: C: 2014: 190, margin no. 42 f). In addition, the credit check prescribed by Union law is intended to serve the general interest in a functioning credit industry in the internal market (Recital 6, 7 Consumer Credit Directive; Pesek in Klang³ § 7 VKrG margin no. 1).<br />
[58] 3.3. According to Section 7 (1) VKrG and Article 8 (1) Consumer Credit Directive, the lender must determine the facts that are relevant for assessing creditworthiness (Pesek in Klang³, Section 7, margin no.27). As a means of information, in Section 7 (1) VKrG as well as in Art 8 Consumer Credit Directive, the gathering of information from the consumer and the gathering of information from an available database are mentioned.<br />
[59] The creditworthiness is not to be understood as the creditworthiness in the banking sense. Rather, it is about the assessment of whether the consumer will probably be able to meet his payment obligations from the loan agreement in full, without being pushed to the edge of his economic existence (ExplanationRV 650 BlgNR 24. GP 17; Pesek in Klang³ § 7 VKrG Rz 6 f; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law [2010] § 7 VKrG Rz 6 f; see Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 4 ff ).<br />
[60] 4.1. What content the information must have in order to be regarded as sufficient within the meaning of Section 7 (1) VKrG is not described in more detail by law.<br />
[61] 4.2. In the literature it is consistently stated that the regular (net) income of the consumer and his other liquid assets must be taken into account in the credit check (Pesek in Klang³ § 7 VKrG margin no.10; Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG margin no 9; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG margin no. 9; Dehn in Apathy / Iro / Koziol, Austrian bank contract law IV² [2012] margin no. 2/54). However, the inclusion of non-liquid assets in the creditworthiness check is disputed (for: Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 9; Pesek in Klang³ § 7 VKrG Rz 12; on the other hand: Wendehorst, What is creditworthiness? In Blaschek / Habersberger , Worthy of a loan? 29 f; Foglar-Deinhardstein, The credit check for consumer credit [2013] margin nos. 237 ff; Weissel, consumer credit: Inquiry obligations of the bank, RdW 2014, 176, 179; ders, The protection provided by § 7 VKrG under civil law: legal beneficence oder Irrweg, ZFR 2012, 208, 210; differentiating [between smaller consumer loans and loans for the creation of housing, which were also covered by § 7 VKrG up to the entry into force of the HIKrG on March 21, 2016] Zöchling-Jud in Wendehorst / Zöchling-Jud , Consumer credit law [2010] § 7 VKrG margin no. 10; Dehn in Apathy / Iro / Koziol, Austrian bank contract law IV² margin no. 2/55). The consumer's income and cash and cash equivalents as well as - depending on the legal opinion represented - other assets are to be compared with the regular burdens of the consumer (Pesek in Klang³ § 7 VKrG Rz 17; Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 10, 12; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG margin no.12).<br />
[62] 4.3. It is agreed that the extent of the lender's duty to investigate depends on the circumstances of the individual case, with regard to the amount of the loan value disbursed, the duration of the loan, the informative value and credibility of the information provided by the consumer as well as the existence or duration and intensity the business relationship between the lender and the consumer is important (Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 14; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG Rz 14; 8 Ob 76 / 16h).<br />
[63] 4.4. In this sense, Leupold / Ramharter argue for small (commodity) loans that the lender's exploration obligations are limited; In this context, they refer to information from databases and reject any further credit check that is incompatible with the goal of efficient markets (Leupold / Ramharter, The violation of the duty to warn of poor creditworthiness under the Consumer Credit Act, ÖBA 2011, 469, 486).<br />
[64] 4.5. The content of the "sufficient" information according to Section 7 (1) VKrG must also be specified depending on the circumstances of the individual case. Only in this way, with the help of the statutory general clause, can the legal obligations for the wide range of consumer loans covered by Section 7 (1) VKrG - which includes financial aid within the meaning of Section 25 (1) VKrG, up to large bank loans - be made possible.<br />
[65] 4.6. This interpretation is in line with the case law of the ECJ on Article 8 (1) of the Consumer Credit Directive.<br />
[66] In the case of CA Consumer Finance SA, the ECJ made it clear that the directive does not conclusively specify the information on the basis of which the lender has to assess the creditworthiness of the consumer, nor does it specify in more detail whether and how this information is to be checked . Rather, the lender has a margin of discretion when it comes to whether the information he has is sufficient to certify the creditworthiness of the loan applicant and whether he has to check this against other criteria. The lender must therefore assess in each case, taking into account the circumstances of the individual case, whether the information available to him by the loan applicant is relevant and sufficient. Whether the information is sufficient can vary depending on the circumstances of the conclusion of the credit agreement, the personal situation of the consumer or the credit volume provided for in the contract (ECJ December 18, 2014, C-449/13, CA Consumer Finance SA, ECLI: EU : C: 2014: 2464, margin no.36 f).<br />
[67] 4.7. The lender is therefore not required to obtain information on the income or financial situation of the consumer or on both aspects in addition to obtaining information from an external credit bureau in the case of small goods loans.<br />
[68] 5.1. According to the findings, the defendant obtains information from an external credit agency before granting partial payment options to new customers and limits the loan amount to EUR 500; for existing customers, it uses any negative credit information available in the group of companies. In addition, she uses the amount of the loan for her decision-making; In addition, there are other factors that are not related to the creditworthiness within the meaning of Section 7 (1) VKrG, such as the residential address.<br />
[69] 5.2. Particularly in the case of the small loans of goods from a loan amount of EUR 200 or more that are covered by the injunction, the consideration of existing negative creditworthiness information, as can be derived from the information available in the group of companies as well as from the information provided by the credit bureau, does not appear to be entirely unsuitable for credit checks. This is also not claimed by the plaintiff association. Especially in the case of very low loan amounts (from EUR 200) it is not evident that additional knowledge of the net income (at least, unless it is associated with a detailed survey of all, even minor financial burdens) necessarily enables a more reliable assessment than the query whether due to existing “negative creditworthiness information”, the collectability of even very small loan amounts must be called into question from the outset. The same considerations apply to the need to identify the consumer's realizable assets.<br />
[70] 5.3. Whether the business practice objected to by the plaintiff association, when granting partial payment options in addition to obtaining information from an external credit agency, not to obtain information about the income and / or asset situation of consumers, violates § 7 VKrG, cannot be answered in general, but depends on the circumstances of the case.<br />
[71] It cannot be ruled out that the partial payment options granted by the defendant exist in which it is necessary to obtain information about the income situation or the financial situation of the consumer or about both. However, the request for an injunction does not focus on more specific cases, but aims to forbid the defendant, in all cases, from agreeing on partial payment purchases or partial payment options with consumers with a total credit of at least EUR 200, without information on the income situation and / or their financial position to catch up.<br />
[72] However, this request is not justified because of the discretion granted to the lender in the credit check. The revision is therefore justified insofar as it is directed against the prohibition of the objected business practice 1. The judgment of the first court had to be restored to this extent.<br />
<br />
[73] B. On the plaintiff's appeal:<br />
[74] The appeal by the plaintiff is permissible because the active legitimation of the plaintiff association according to §§ 28a, 29 KSchG to assert violations of the GDPR has not been conclusively clarified.<br />
[75] Regarding the performance period (Clause 1):<br />
[76] The appellate court set the deadline for the omission of the use and the appeal to the clause 1 because of the necessary organizational measures for the EDP conversion with six months. Such a necessity is understandable in the present case, in which the inadmissible clause also affects the settlement of all ongoing partial payment contracts (see RS0041265 [T12]). The performance deadline set by the court of appeal is therefore not objectionable in the present individual case.<br />
[77] Regarding business practice 2:<br />
[78] The defendant's business practice of carrying out the credit check when lending is based on a scoring without giving the consumer the right to express his own point of view and contest his classification is objected to.<br />
[79] With this request for an injunction, the plaintiff did not object to the "internal scoring" practiced by the defendant, but to the decision based on the classification made by the external credit agency. The procedure violates Art 22 GDPR for reasons explained in detail.<br />
[80] The defendant objected that the plaintiff association was not granted any active legitimation regarding data protection information obligations. The alleged violation of Art 22 GDPR did not exist.<br />
[81] The first court dismissed the claim because the defendant's approach was in accordance with Section 7 VKrG and Article 22 GDPR.<br />
[82] The appellate court confirmed the dismissal of the action on the grounds that the plaintiff association lacks the active legitimation to assert data protection violations.<br />
[83] As a significant legal issue, the appeal claims that the appellate court disregarded the fact that the systematic violation of Art 22 GDPR occurred in connection with consumer credit relationships, so that the collective action according to § 28a KSchG was opened.<br />
[84] 1. In proceedings 6 Ob 77 / 20x, the Supreme Court submitted the following question to the European Court of Justice for a preliminary ruling (RS0133358):<br />
Are the regulations in Chapter VIII, in particular in Art. 80 Paragraphs 1 and 2 and Art. 84 Paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons during processing personal data, on the free movement of data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation, OJ L 119/1 of May 4, 2016, p. 1; hereinafter "GDPR") contrary to national regulations that - in addition to the powers of intervention of the supervisory authorities responsible for monitoring and enforcement of the regulation and the legal protection options of the data subjects - on the one hand, to grant competitors and, on the other hand, the authority to associations, institutions and chambers authorized under national law, regardless of the violation of specific rights of individual data subjects, because of violations of the GDPR and without the instruction of a person concerned against the infringer by way of an action before the civil courts under the Ges Prohibition of engaging in unfair business practices or violating consumer protection law or prohibiting the use of ineffective general terms and conditions?<br />
[85] 2.1. The plaintiff in the present proceedings is the same association authorized to take legal action under § 29 KSchG who intervenes on 6 Ob 77 / 20x - there based on § 28 KSchG. In the present proceedings, based on § 28a KSchG, he seeks the omission of a business practice used by the defendant in connection with consumer credit relationships, which violates the GDPR.<br />
[86] 2.2. The question of whether the plaintiff is legitimized to assert violations of the GDPR by way of a representative action according to § 29 KSchG is also relevant for the decision of the present legal dispute, because the question of whether the Union legislature with the legal protection instruments provided for in the GDPR is possibly a wanted to create a final regulation for the enforcement of data protection violations, also for lawsuits against business practices that are in connection with the legal relationships mentioned in § 28a KSchG, is essential for the decision.<br />
[87] For example, the Supreme Court referred its request for a preliminary ruling on 6 Ob 77 / 20x also to the representative action "from the point of view of a violation of a consumer protection law" - i.e. in accordance with § 28a KSchG - (cf. . 2020, I ZR 186/17 [Rz 47, 57 ff]).<br />
[88] 3. The Supreme Court of Justice has to assume a general effect of the preliminary ruling of the European Court of Justice and to apply this also for other than the immediate case. For reasons of process economy, the present procedure must therefore be interrupted (RS0110583).<br />
<br />
[89] C. Regarding the publication requests:<br />
[90] Because of the interruption of the proceedings with regard to the request for an injunction regarding business practice 2 (violation of the GDPR), the requests for publication made by both parties cannot be conclusively decided. A partial judgment is not appropriate here because further publication after the final judgment is available would entail additional costs that would not be incurred in the case of joint publication (Ciresa, Handbuch der Judgment Publication4 [2017] margin no. 4.28; RS0079937 [T1]).<br />
<br />
[91] D. Decision on costs:<br />
[92] The reservation of costs is based on Section 52 (4) ZPO.<br />
<br />
<br />
European Case Law Identifier<br />
ECLI: AT: OGH0002: 2021: 0060OB00048.21H.0806.000<br />
<br />
<br />
</pre></div>JShttps://gdprhub.eu/index.php?title=OGH_-_6Ob48/21h&diff=20307OGH - 6Ob48/21h2021-10-01T11:52:14Z<p>JS: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=OGH<br />
|Court_With_Country=OGH (Austria)<br />
<br />
|Case_Number_Name=6Ob48/21h<br />
|ECLI=ECLI:AT:OGH0002:2021:0060OB00048.21H.0806.000<br />
<br />
|Original_Source_Name_1=RIS<br />
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=4530863f-3472-44c4-9677-4f6b4edaecdb&Position=1&Abfrage=Justiz&Gericht=&Rechtssatznummer=&Rechtssatz=&Fundstelle=&AenderungenSeit=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=DSGVO&Dokumentnummer=JJT_20210806_OGH0002_0060OB00048_21H0000_000<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=06.08.2021<br />
|Date_Published=22.09.2021<br />
|Year=2021<br />
<br />
|GDPR_Article_1=Article 80 GDPR<br />
|GDPR_Article_Link_1=Article 80 GDPR<br />
<br />
<br />
|National_Law_Name_1=§ 28a KSchG<br />
|National_Law_Link_1=https://www.jusline.at/gesetz/kschg/paragraf/28a<br />
|National_Law_Name_2=§ 29 KSchG<br />
|National_Law_Link_2=https://www.jusline.at/gesetz/kschg/paragraf/29<br />
<br />
|Party_Name_1=Verein für Konsumenten Information (VKI)<br />
|Party_Link_1=https://verbraucherrecht.at/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Pending appeal<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=js<br />
|<br />
}}<br />
<br />
The Austrian Supreme Court decided to put a case on hold until the CJEU determined whether the GDPR precludes national legislation that grants consumer organisations the legitimacy to take legal action without a mandate and a violation of the rights of a particular individual.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The plaintiff (the Austrian association Verein für Konsumenten Information) sued the defendant (an online shopping platform operating throughout Austria) over several business practices, terms and conditions they found in violation with consumer protection law and the GDPR. More precisely, the association criticized several non-transparent contractual clauses on interests and creditworthiness checks as well as the defendant making decisions based on classifications by external credit scoring agencies in violation of [[Article 22 GDPR|Article 22 GDPR]].<br />
<br />
The defendant argued that the association had no right to take legal action under applicable data protection law. In this regard, the appealing court already decided that the association lacks the legitimacy to assert data protection violations.<br />
<br />
=== Holding ===<br />
The OGH decided that the previous court failed to take into account that the systematic infringement of [[Article 22 GDPR|Article 22 GDPR]] in connection with consumer credit ratings could in fact allow the association to take legal action under the GDPR. The court decided that the appeal is admissible because the legitimacy of the plaintiffs associations under §§ 28 and 29 of the Austrian Consumer Protection Act (Konsumentenschutzgesetz - KSchG) is not ultimately clarified. The court refers to a parallel case of the plaintiff currently pending at the CJEU as part of an preliminary ruling procedure.<br />
<br />
In this regard, the CJEU has to decide on whether the GDPR precludes national rules from granting associations the power to take legal action against unfair business practices or violations of consumer protection laws without a mandate and irrespective of the violation of specific rights of individual data subjects (see [[OGH - 6Ob77/20x|here]]). Until this decision is delivered by the CJEU the present procedure is put on hold.<br />
== Comment ==<br />
For further information on the corresponding preliminary reference see [[OGH - 6Ob77/20x|here]].<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
<br />
court<br />
Supreme Court<br />
<br />
<br />
Decision date<br />
08/06/2021<br />
<br />
<br />
Business number<br />
6Ob48 / 21h<br />
<br />
<br />
head<br />
The Supreme Court, as a court of appeal by the Senate President Hon.-Prof. Dr. Gitschthaler as chairman, the court councilors Univ.-Prof. Dr. Kodek and Dr. Nowotny, the court councilor Dr. Faber and Hofrat Mag. Pertmayr as further judges in the case of the plaintiff, Verein für Konsumenteninformation, 1060 Vienna, Linke Wienzeile 18, represented by Kosesnik-Wehrle & Langer Rechtsanwälte KG in Vienna, against the defendant U ***** GmbH , *****, represented by Pressl Endl Heinrich Bamberger Rechtsanwälte GmbH in Salzburg, for omission and publication of the judgment, on the appeals by both parties against the judgment of the Linz Higher Regional Court as the court of appeal of November 26, 2020, GZ 3 R 128 / 20v-15 , with which the judgment of the Salzburg Regional Court of August 14, 2020, GZ 4 Cg 67 / 19w-9, was partially amended, rightly recognized in a closed session and decided:<br />
<br />
<br />
Saying<br />
<br />
The appeal of the defendant, insofar as it is against the cease-and-desist clause 1.1. of the appeal judgment (Clause 1), not given.<br />
Insofar as it is directed against the omission requirement item 2 of the appeal judgment (business practice 1), the appeal of the defendant will be followed and the dismissing decision of the first court (there item 3.1. Of the judgment) will be restored.<br />
With regard to point 4 of the judgment of the appellate court, the proceedings will be interrupted until the decision of the European Court of Justice on the request for a preliminary ruling made by the Supreme Court on November 25, 2020 re 6 Ob 77 / 20x. Once the preliminary ruling has been received, the proceedings will be continued ex officio.<br />
The decision on the request of the plaintiff to authorize it to publish the plaintiff's verdict, as well as the request of the defendant to authorize it to publish the dismissing verdict, are reserved for the final decision.<br />
The decision on the costs of the appeal proceedings is reserved for the final decision.<br />
<br />
<br />
text<br />
Reasons for the decision:<br />
[1] The plaintiff is an association entitled to sue within the meaning of § 29 KSchG.<br />
[2] The defendant is a mail order company operating throughout Austria, which continuously concludes contracts with consumers. It bases its contracts on general terms and conditions, which include the following clauses:<br />
"9. Payment:<br />
What payment options do you have for your order?<br />
9.1. Purchase on invoice:<br />
In the case of purchase on account (payment by bank transfer), the invoice amount is due within 14 days of receipt of the goods.<br />
9.2. Partial payment:<br />
With us, you have the option of making partial payments if you have the appropriate creditworthiness and an order value of up to EUR 4,000.00. You can find more information, in particular about the amount and number of installments, at www.u *****. At / part-payment.<br />
In the case of an advance payment, the amount of the agreed installments is reduced and the total burden is lower. The balance remaining after the advance payment can be paid in partial amounts. For the 1st month after purchase, no installment costs are charged. From the 2nd month onwards, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account settlement, this results in an effective interest rate of 21.7% p.a. By sending you an account statement by post or email, we will inform you about your current account balance on a monthly basis. You are deemed to have approved the account balance if you do not object to it within two months of receipt.<br />
9.3. Credit card:<br />
You can pay with us online by credit card. Simply select credit card under payment method. We accept Mastercard, Visa, Diners Club and Discover (no prepaid credit cards). In addition to the credit card company, the card number and the period of validity, we need the check digit of your credit card. The check digit is a three-digit number on the back of your credit card that ensures payment security on the Internet.<br />
9.4. Advance payment:<br />
We reserve the right to make the delivery of the goods dependent on an advance payment.<br />
9.5. PayPal:<br />
[...] "<br />
[3] Via the link “www.u *****. At / part-payment” you get to an installment calculator. There, the customer can enter the term of the installment payments within a specified range. The maximum term is 48 months, the minimum monthly rate is EUR 10. When you enter the item price and the desired term, the system calculates the installment surcharge, the monthly minimum installment, the amount of the last installment, the final installment price and indicates the effective annual interest rate.<br />
[4] The information on the credit check can be found in the data protection information of the defendant (www.u *****. At / datenschutz), which has the following content in excerpts:<br />
"3.2.2.2. Credit checks:<br />
If you have selected a so-called insecure payment method (purchase on account or installment purchase) when placing an order, the following applies:<br />
U ***** and other mail order companies of the O ***** - Group basically give their customers the opportunity to purchase goods using unsafe payment methods (e.g. purchase on account, purchase on finance).<br />
[...]<br />
Companies that generally allow their customers to use unsafe payment methods have a legitimate interest in protecting themselves as well as possible from the occurrence of payment defaults. This is done, among other things, by checking the creditworthiness of the customer before granting the option of using insecure payment methods. As part of this check, we are entitled to ask U ***** GmbH whether they have received negative credit information about the respective customers from the other mail-order companies of the O ***** Group. Furthermore, we are entitled to transmit negative creditworthiness information on the respective customers to U ***** GmbH, which in turn can provide information to the above-mentioned other mail-order companies of the O ***** Group before these other mail-order companies give the customer the option of using unsafe payment methods.<br />
The creditworthiness information is information about outstanding payment claims and information from which there is a direct risk of payment default (e.g. insolvency, debt counseling, deferral due to insolvency). Before we transmit negative information about outstanding payment claims to U ***** GmbH, the customers concerned are informed of the possibility of transmission on a reminder. We are also entitled to transmit information about extremely atypical order processes (e.g. simultaneous ordering of a large number of goods to the same address using different customer accounts) to U ***** GmbH and to request such information from U ***** GmbH. This is to avoid payment defaults and to protect our customers from misuse of their accounts or their identity.<br />
In cases in which a customer wants to order with an insecure method of payment, we are entitled to use information received as part of the order to calculate a probability of default (internal scoring). The calculation of the failure probability by means of the internal scoring is based on a recognized mathematical statistical procedure. The data used as part of the internal scoring result in particular from a combination of the following data categories (not exhaustive): address data, age, desired payment conditions, order method and product range groups. As part of the internal scoring, only data that the customer has given us is used. On the basis of the named data categories, conclusions can be drawn about the probability of default on payment due to the mathematical statistical procedure used. For example, a certain place of residence of the person placing the order, combined with a certain category of goods, can lead to an increased probability of default and thus a restriction on the payment method. There is no payment type restriction based solely on the place of residence of the person placing the order. In addition, it has been statistically proven, for example, that there is a lower risk of payment default when using a chargeable e-mail provider than is the case when using a free provider. As part of the examination of whether an unsafe method of payment (installment / purchase on account) can be granted, we are also entitled to obtain credit information about you from an external credit agency. We work with the following credit agency C ***** GmbH, *****.<br />
For the purpose of calling up creditworthiness information, the following data is transmitted to the external credit agency: first name, last name, postal address, date of birth and, in the event of default in payment, the outstanding balance. The data mentioned can also be transmitted to C ***** GmbH, ***** for the purpose of personal and address validation and for fraud prevention (see also the following point).<br />
As part of the credit check, we can use an automated process to decide whether you will be given the desired unsecure payment method (installment / purchase on account). For example, when a negative credit report is sent by a credit agency or when an insufficient score is calculated as part of the internal scoring, the desired payment method can be automatically rejected. You can assert the right to us to manually review the automated decision. In addition, you have the right to express your own point of view and the right to contest the decision.<br />
The processing of your data as part of the credit check is based on Article 6 Paragraph 1b GDPR and Article 6 Paragraph 1f GDPR. We basically have a legitimate interest in carrying out a credit check when you select an unsafe payment method (installment / purchase on account). "<br />
[5] Under the heading “Data protection notice” and the text “Information on payment method restrictions: You would like to know why you cannot use all payment methods with us? We will be happy to provide you with information here. ", The customer arrives at a link with the title" Request information ".<br />
[6] Over 90% of the orders placed with the defendant are made online, the remaining 10% by telephone. The average order value is EUR 650.<br />
[7] In the case of an online order, the payment method "purchase on account" is preset. If a customer wants partial payment, he has to change the payment option himself.<br />
[8] In the case of an initial order, the defendant limits the order value to EUR 500 in the case of an installment purchase or purchase on account; this limit is gradually increased for subsequent orders if there have been no defaults in payment.<br />
[9] In the case of a new customer who orders on open account or partial payment, an inquiry is automatically made to the credit agency with the data provided by the customer. If the customer is unknown there, the defendant rejects a business relationship with partial payment or on account and notifies the customer that he would be supplied via credit card or PayPal. If the customer is known, there are three ways of scoring with three different colors. If the color is red, the unsecure payment method is also rejected, if it is yellow, an employee of the defendant checks, and if it is green, the order is accepted. In the case of a yellow scoring, the employee himself inspects the database and decides whether and, if so, under what conditions the order will be released.<br />
[10] If a customer makes use of the option of requesting information, further information is obtained, for example the request for proof of income.<br />
[11] The plaintiff association desires - insofar as it is still the subject of the appeal proceedings - to oblige the defendant to refrain from using the following clauses in general terms and conditions or contract forms in business dealings with consumers:<br />
(Clause 1 = point 1.1. Of the judgment of the court of appeal): "From the second month onwards, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account offsetting, this results in an effective interest rate of 21.7% p.a. "<br />
[12] Furthermore, he seeks to oblige the defendant in accordance with § 28a KSchG to refrain from doing business with consumers in connection with consumer credit relationships,<br />
(Business practice 1 = point 2. of the judgment of the court of appeal): "To agree on partial payment purchases and / or partial payment options with a total credit of at least EUR 200 to pay consumers for goods purchased without checking the creditworthiness of the consumer on the basis of sufficient information, in particular without To obtain information on the income situation and / or financial situation of these consumers; ”as well as<br />
(Business practice 2 = point 4 of the judgment of the appellate court): "to carry out the credit check when lending on the basis of a scoring, without granting the consumer the right to express his own point of view and to contest his classification."<br />
[13] Furthermore, the plaintiff association applied for authorization to publish the judgment.<br />
[14] The defendant requested that the action be dismissed as well as authorization to publish the judgment dismissing the complaint, and, in the event that the action was upheld, the setting of a performance period of at least six months.<br />
[15] The first court granted the cease and desist and publication requests with regard to clauses 1 and 2 without setting a performance deadline and dismissed the further claim and the counter-publication request of the defendant.<br />
[16] The appeals court partially followed the appeals of both parties. It confirmed the admission of the action with regard to clauses 1 and 2, whereby it set a six-month performance period, and changed the judgment of the first court with regard to business practice 1 in the plaintiff's sense, also with a six-month performance period.<br />
[17] It allowed the appeal because it was partly about clauses or business practices that had not yet been assessed by the Supreme Court and that were important for a larger number of consumers.<br />
[18] In their opposing revisions, the parties in dispute request the amendment of the decision of the appellate court in the sense of a complete lodging of the complaint or a dismissal of the complaint, whereby the defendant does not contest the approval of the complaint with regard to the omission of clause 2 (point 1.2. Of the appeal judgment). In the alternative, the defendant files an application for annulment.<br />
[19] The plaintiff requests that the defendant's appeal be dismissed or, in the alternative, that it should not be followed. The defendant requests that the plaintiff's appeal be disregarded.<br />
[20] The revisions of both parties are permissible. The defendant's revision is partly justified.<br />
[21] The submissions of the parties as well as the reasons for the decision of the lower courts are presented when dealing with the disputed clause and the disputed business practices.<br />
<br />
<br />
Legal assessment<br />
[22] A. On the defendant's appeal:<br />
[23] The defendant's revision is permissible because the requirements for the credit check in accordance with Section 7 (1) VKrG require clarification. It is partially justified.<br />
[24] Regarding clause 1: "From the second month, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account offsetting, this results in an effective interest rate of 21.7% p.a. "<br />
[25] The plaintiff complains that the clause is not transparent because it is not pointed out that the defendant derives the right to charge compound interest during the year from the monthly capitalization. The clause is also grossly disadvantageous within the meaning of Section 879 Paragraph 3 ABGB, because the accounting period is shortened to one month in deviation from Section 355 Paragraph 2 UGB. The amount of the effective interest rate is grossly disadvantageous and violates § 934 ABGB. In addition, it is not evident that the effective interest rate results from the compound interest effect.<br />
[26] The defendant denies the claims. There was no lack of transparency because the effective annual interest rate was stated and it was clearly recognizable that the difference to the annual interest rate could only result from the compound interest effect (and not from the inclusion of processing fees or the like).<br />
[27] The lower courts forbade the clause because it violated the transparency requirement of Section 6 (3) KSchG. The creditor of a monetary claim can only demand compound interest according to Section 1000 (2) sentence 1 ABGB if the parties have expressly agreed to this. According to the case law, the agreement of the capitalization of interest during the year is not transparent if the user of the terms and conditions does not point out the resulting compound interest effect. The lack of transparency is also not eliminated by listing the monthly interest rate, the annual interest rate and the effective annual interest rate or by using the rate calculator, because the annual interest rate can also result from other cost factors such as commissions, costs of contract establishment, processing fees, etc., so that the average consumer can choose the difference between the annual interest rate and the effective annual interest rate does not have to infer the agreement of compound interest.<br />
[28] The revision is not justified.<br />
[29] 1.1. According to Section 1000 (2) sentence 1 ABGB, compound interest is due - as the appellate court has already correctly pointed out - only in the case of an "express" agreement between the parties. It is necessary that the compound interest is conditional, for which sufficiently clear conclusive explanations are sufficient (Perner in Schwimann / Kodek, ABGB4 § 1000 Rz 17 and Fn 50; Ertl in Fenyves / Kerschner / Vonkilch, Klang³ § 1000 ABGB Rz 15; Dullinger in Artmann , UGB³ § 355 margin no. 3). The agreement of compound interest in the General Terms and Conditions of the defendant must also meet the requirements of Section 6 (3) KSchG.<br />
[30] 1.2. According to the established case law of the Supreme Court, the reference to an account closing during the year or the reference to the fact that interest is "calculated, capitalized and charged" during the year is not sufficient to make the consumer realize that compound interest should also be charged. Such clauses were therefore regularly judged to be non-transparent within the meaning of Section 6 (3) KSchG (1 Ob 124 / 18v [Clause 17]; 9 Ob 11 / 18k [Clause 6]; 8 Ob 128 / 17g [Clauses 7 and 8]; 10 Ob 31 / 16f [Clause c]; 4 Ob 179 / 02f [Clause Z 38 Paragraph 1]; see RS0117273).<br />
[31] 1.3. The present clause does not expressly provide for an account closing during the year, but rather the "current account settlement" of the partial payment costs, which are specified as 1.65% per month (19.8% p.a.) of the outstanding balance; The effective interest rate of 21.7% p.a. resulting from "current account settlement" is also given.<br />
[32] 2.1. The current account agreement is regulated in Section 355 of the UGB. Section 355 (1) of the Austrian Commercial Code defines the current account agreement as an agreement with an entrepreneur with whom someone has a business relationship, that the mutual claims and services arising from the connection, plus interest, are invoiced and at regular intervals by offsetting and determining the amount for one or the other the other part of the resulting surplus will be compensated. According to Section 355, Paragraph 4, Clause 4 of the Austrian Commercial Code, anyone who is entitled to a surplus when closing the accounts can demand compound interest.<br />
[33] 2.2. If one or more features of the current account defined by law in Section 355 (1) UGB are missing, such as the entrepreneurial status of a part or the permanent business relationship, one speaks of an improper current account agreement to which the current account law can apply analogously (1 Ob 83 / 01i). For example, the analogous application of § 355 UGB was affirmed for the case of an agreement between non-entrepreneurs (1 Ob 83 / 01i; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 4).<br />
[34] 2.3. On the basis of the regulation of § 1000 Paragraph 2 Sentence 1 ABGB, it is assumed when an improper current account relationship is agreed that compound interest is only due if expressly agreed (within the meaning of § 1000 Paragraph 2 Sentence 1 ABGB) (cf. 1 Ob 83 / 01i; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 4; aM Dullinger in Artmann, UGB³ § 355 Rz 3).<br />
[35] 2.4. The current account must be based on a business relationship established for a certain period of time, which means that the repeated conclusion of transactions can be expected (Dullinger in Artmann, UGB³ § 355 Rz 4; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 5) . Whether a single purchase in installments can already meet this requirement (critical for assessing an installment credit as a current account relationship Dullinger in Artmann, UGB³ § 355 Rz 4) or whether the (qualified) business relationship required by § 355 (1) UGB is missing when concluding a single purchase in installments, so that there is at most an "improper" current account relationship does not have to be conclusively assessed in the present case:<br />
[36] 3.1. Because even under the assumption that the agreement of a "current account settlement" in the case of a hire purchase would already be directly subject to § 355 UGB, this would not change the fact that the clause to be assessed here is not clear and understandable for the consumer regarding the accrual of compound interest within the meaning of § 6 Paragraph 3 of the KSchG. For the economically inexperienced average customer of a mail order company, neither the use of the term "current account" nor the indication of the different interest rates results in the fact that a periodic determination of the outstanding invoice amount including capitalization of the "partial payment costs" and their (renewed) Interest takes place. This does not result from the difference between the annual interest rate and the effective annual interest rate disclosed in the clause. The appellate court has already correctly stated that such a difference can also have reasons other than the offsetting of compound interest (Section 510 (3) ZPO). In addition, the duration of the billing period of one month can only be deduced from the specification of a monthly interest rate for the installment costs. The fact that with the regulation of the "current account settlement" in truth only the monthly settlement of compound interest is to be effected is therefore not generally recognizable for the average consumer. Insofar as the revision argues that the effective annual interest rate can only exceed the stated annual interest rate because of the compound interest effect, because no other costs would flow into it, this circumstance is not immediately apparent to the consumer from the disputed clause.<br />
[37] 3.2. If it is further argued in the revision that the financial burden is easily recognizable for the consumer through the indication of the effective annual interest rate and through the instrument of the rate calculator, nothing can be gained from this for the defendant. If the effective agreement of compound interest is missing - due to a violation of the transparency requirement of § 6 Abs 3 KSchG - the defendant is not entitled to the specified effective interest rate and the total amount determined by the installment calculator.<br />
[38] The defendant's appeal against the prohibition of Clause 1 is therefore not justified.<br />
<br />
[39] Regarding business practice 1: The defendant's business practice of agreeing partial payment purchases and / or partial payment options with a total credit of at least EUR 200 to pay for the goods purchased by consumers from her is objected to, without the creditworthiness of the consumer based on sufficient To check information, in particular without obtaining information on the income situation and / or financial situation of these consumers.<br />
[40] The plaintiff sees a systematic violation of the obligation to carry out a credit check according to § 7 VKrG in the fact that the defendant does not collect any information about the consumer's income and other liabilities in the case of installment transactions. In response to the plaintiff's letter of warning, the defendant justified its high interest rate with the fact that no collateral had to be provided for the loans it had granted and no evidence of employment or regular cash inflow had to be provided. The database query and the analysis of previous purchasing behavior did not allow any conclusions to be drawn about income and no prognostic decision as to whether the consumer would be able to meet his payment obligations in full. The database query can be used to obtain information about the consumer's income and assets, but it cannot replace it.<br />
[41] The defendant counters this by saying that obtaining information from a database, specifically by making an inquiry to the specified credit bureau, fulfills the requirements of Section 7 of the VKrG. In any case, the entrepreneur does not have to approach the consumer. The scope of the investigation obligations depends on the individual case and is lower in the case of small goods loans than in the case of typical bank loans. The defendant allows partial payments for purchase prices between EUR 50 and EUR 4,000 with a term of no more than four years; the majority of the consumer loans granted are around the average amount of EUR 650.<br />
[42] The first court dismissed the request for an injunction aimed at the omission of business practice 1.<br />
[43] The appeals court granted the injunction. Legally, it discussed that the lender had to carry out the credit check on the basis of sufficient information. In order to assess the creditworthiness, the current income and liquid funds of the consumer should first be used and compared with the costs of the loan and the current repayment; a database query should only be carried out if this was additionally necessary.<br />
[44] In its appeal, the defendant asserts that there is no provision for prioritizing the procurement of information and that the credit check can be designed flexibly. Consumers' income and financial situation always show certain fluctuations and uncertainties, which have an impact especially in the case of low monthly payments, so that the information to be obtained from the consumer must be higher, the lower the loan amount. In such cases, however, obtaining detailed information is unusual and does not provide a more reliable statement about creditworthiness than the credit information obtained and the observation of ongoing consumer behavior. Obtaining information is therefore sufficient for small goods loans.<br />
[45] The appeal is justified.<br />
[46] 1.1. Anyone who violates a legal requirement or prohibition in business dealings with consumers in connection with consumer credit relationships and thereby affects the general interests of consumers can be sued for an injunction without prejudice to Section 28 (1) KSchG (Section 28a (1) KSchG).<br />
[47] 1.2. Section 28a KSchG extends the scope of representative actions to include illegal business practices by entrepreneurs in business dealings with consumers, limited to the contractual relationships and non-contractual legal relationships specified in Section 28a (1) KSchG (10 Ob 13 / 17k; 7 Ob 168 / 17g; Kathrein / Schoditsch in KBB6 § 28a KSchG margin no.1). The behavior complained of must also be of importance for a large number of contracts or non-contractual legal relationships, which is especially the case for illegal behavior in mass business (RS0121961). This is to effectively prevent any behavior found to be inadmissible under the law that has developed into a practice of the respective entrepreneur (6 Ob 228 / 16x).<br />
[48] 1.3. The right to cease and desist - including that according to § 28a KSchG (cf. 10 Ob 13 / 17k; 4 Ob 179 / 18d [Business Practice 2], etc.) - is substantiated by two elements: an obligation to cease and desist and the risk that this obligation to cease and desist is violated. If one of these elements is missing, there is no right to cease and desist (RS0037660).<br />
[49] 2.1. The subject of the claim for action and the verdict is always only the specific infringing act (RS0037478 [T2, T5]). However, it is permissible to describe the inadmissible behavior in a generalized way and to clarify it by means of "especially" listed individual bans. Even with such a more general version of the injunction, the verdict must cover the core of the infringing act (4 Ob 206 / 19a; 9 Ob 57 / 20b).<br />
[50] The claim is to be understood as it is meant by the plaintiff in conjunction with the claimant's account (RS0037440).<br />
[51] 2.2. The core of the business practice 1 complained of by the plaintiff consists in giving consumers the option of partial payment without obtaining information on income “and / or” assets for the purpose of checking creditworthiness. After the request for a judgment and the submission of the action in its entirety, the plaintiff association seeks a ban that is not restricted to specific groups of cases or the existence of specific circumstances; Rather, he takes the position that the information mentioned must always be obtained for the partial payment transactions offered by the defendant.<br />
[52] The defendant did not claim that it obtained information on the income situation or the assets of its prospective buyers before granting a partial payment option. Only when a consumer requests information about the reasons why he cannot use all payment methods from the defendant (i.e. after rejecting an “unsafe” payment method requested by the consumer) does the defendant request proof of income, for example.<br />
[53] 2.3. It must therefore be examined whether the defendant, by systematically granting consumers the option to pay in installments without obtaining information about their income and / or assets, violates a legal prohibition, specifically § 7 VKrG. The decisive factor is whether the obligation can be derived from Section 7 VKrG to always provide information about the income and / or the assets of the defendant in the case of partial payment transactions, as offered by the defendant, from a credited purchase price of EUR 200 (see Section 4 (1) VKrG) To catch up with prospective buyers.<br />
[54] It should be made clear in this context that the injunction does not simply cover the execution of the credit check without obtaining information about the income and / or assets of the prospective buyers, but only the procedure of granting consumers partial payment options without having obtained such information. The practice of refusing to allow partial payment without obtaining information about the income and / or asset situation is therefore not objected to.<br />
[55] 3.1. According to § 7 VKrG applicable to hire purchase contracts in accordance with § 25 Paragraph 1 VKrG (see Foglar-Deinhardstein in Fenyves / Kerschner / Vonkilch, Klang³ § 25 VKrG margin no. 69), the lender must check the creditworthiness of the consumer using sufficient information before concluding the credit agreement, which he - if necessary - demands from the consumer; if necessary, he must also obtain information from an available database (Section 7 (1) VKrG). If this check reveals considerable doubts about the ability of the consumer to fully fulfill his obligations under the credit agreement, the lender must inform the consumer of these concerns about his creditworthiness (Section 7 (2) VKrG).<br />
[56] With this, the obligation of the lender to assess the creditworthiness of the consumer in accordance with Article 8 Paragraph 1 of the Consumer Credit Directive (Directive 2008/48 / EC on consumer credit agreements) was implemented in Austrian law. According to Article 8 (1) of the Consumer Credit Directive, the member states ensure that, before concluding the credit agreement, the lender assesses the creditworthiness of the consumer on the basis of sufficient information that he may obtain from the consumer and, if necessary, on the basis of information from the database in question. Those Member States that legally oblige lenders to assess creditworthiness on the basis of a query in a corresponding database can retain this requirement.<br />
[57] 3.2. The obligation of the lender to assess the creditworthiness of the consumer in accordance with Article 8 Paragraph 1 of the Consumer Credit Directive is intended to protect consumers from irresponsible granting of credit that exceeds their financial capabilities and can lead to their insolvency (ECJ April 27, 2014, C- 565/12, LCL Le Crédit Lyonnais SA, ECLI: EU: C: 2014: 190, margin no. 42 f). In addition, the credit check prescribed by Union law is intended to serve the general interest in a functioning credit industry in the internal market (Recital 6, 7 Consumer Credit Directive; Pesek in Klang³ § 7 VKrG margin no. 1).<br />
[58] 3.3. According to Section 7 (1) VKrG and Article 8 (1) Consumer Credit Directive, the lender must determine the facts that are relevant for assessing creditworthiness (Pesek in Klang³, Section 7, margin no.27). As a means of information, in Section 7 (1) VKrG as well as in Art 8 Consumer Credit Directive, the gathering of information from the consumer and the gathering of information from an available database are mentioned.<br />
[59] The creditworthiness is not to be understood as the creditworthiness in the banking sense. Rather, it is about the assessment of whether the consumer will probably be able to meet his payment obligations from the loan agreement in full, without being pushed to the edge of his economic existence (ExplanationRV 650 BlgNR 24. GP 17; Pesek in Klang³ § 7 VKrG Rz 6 f; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law [2010] § 7 VKrG Rz 6 f; see Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 4 ff ).<br />
[60] 4.1. What content the information must have in order to be regarded as sufficient within the meaning of Section 7 (1) VKrG is not described in more detail by law.<br />
[61] 4.2. In the literature it is consistently stated that the regular (net) income of the consumer and his other liquid assets must be taken into account in the credit check (Pesek in Klang³ § 7 VKrG margin no.10; Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG margin no 9; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG margin no. 9; Dehn in Apathy / Iro / Koziol, Austrian bank contract law IV² [2012] margin no. 2/54). However, the inclusion of non-liquid assets in the creditworthiness check is disputed (for: Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 9; Pesek in Klang³ § 7 VKrG Rz 12; on the other hand: Wendehorst, What is creditworthiness? In Blaschek / Habersberger , Worthy of a loan? 29 f; Foglar-Deinhardstein, The credit check for consumer credit [2013] margin nos. 237 ff; Weissel, consumer credit: Inquiry obligations of the bank, RdW 2014, 176, 179; ders, The protection provided by § 7 VKrG under civil law: legal beneficence oder Irrweg, ZFR 2012, 208, 210; differentiating [between smaller consumer loans and loans for the creation of housing, which were also covered by § 7 VKrG up to the entry into force of the HIKrG on March 21, 2016] Zöchling-Jud in Wendehorst / Zöchling-Jud , Consumer credit law [2010] § 7 VKrG margin no. 10; Dehn in Apathy / Iro / Koziol, Austrian bank contract law IV² margin no. 2/55). The consumer's income and cash and cash equivalents as well as - depending on the legal opinion represented - other assets are to be compared with the regular burdens of the consumer (Pesek in Klang³ § 7 VKrG Rz 17; Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 10, 12; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG margin no.12).<br />
[62] 4.3. It is agreed that the extent of the lender's duty to investigate depends on the circumstances of the individual case, with regard to the amount of the loan value disbursed, the duration of the loan, the informative value and credibility of the information provided by the consumer as well as the existence or duration and intensity the business relationship between the lender and the consumer is important (Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 14; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG Rz 14; 8 Ob 76 / 16h).<br />
[63] 4.4. In this sense, Leupold / Ramharter argue for small (commodity) loans that the lender's exploration obligations are limited; In this context, they refer to information from databases and reject any further credit check that is incompatible with the goal of efficient markets (Leupold / Ramharter, The violation of the duty to warn of poor creditworthiness under the Consumer Credit Act, ÖBA 2011, 469, 486).<br />
[64] 4.5. The content of the "sufficient" information according to Section 7 (1) VKrG must also be specified depending on the circumstances of the individual case. Only in this way, with the help of the statutory general clause, can the legal obligations for the wide range of consumer loans covered by Section 7 (1) VKrG - which includes financial aid within the meaning of Section 25 (1) VKrG, up to large bank loans - be made possible.<br />
[65] 4.6. This interpretation is in line with the case law of the ECJ on Article 8 (1) of the Consumer Credit Directive.<br />
[66] In the case of CA Consumer Finance SA, the ECJ made it clear that the directive does not conclusively specify the information on the basis of which the lender has to assess the creditworthiness of the consumer, nor does it specify in more detail whether and how this information is to be checked . Rather, the lender has a margin of discretion when it comes to whether the information he has is sufficient to certify the creditworthiness of the loan applicant and whether he has to check this against other criteria. The lender must therefore assess in each case, taking into account the circumstances of the individual case, whether the information available to him by the loan applicant is relevant and sufficient. Whether the information is sufficient can vary depending on the circumstances of the conclusion of the credit agreement, the personal situation of the consumer or the credit volume provided for in the contract (ECJ December 18, 2014, C-449/13, CA Consumer Finance SA, ECLI: EU : C: 2014: 2464, margin no.36 f).<br />
[67] 4.7. The lender is therefore not required to obtain information on the income or financial situation of the consumer or on both aspects in addition to obtaining information from an external credit bureau in the case of small goods loans.<br />
[68] 5.1. According to the findings, the defendant obtains information from an external credit agency before granting partial payment options to new customers and limits the loan amount to EUR 500; for existing customers, it uses any negative credit information available in the group of companies. In addition, she uses the amount of the loan for her decision-making; In addition, there are other factors that are not related to the creditworthiness within the meaning of Section 7 (1) VKrG, such as the residential address.<br />
[69] 5.2. Particularly in the case of the small loans of goods from a loan amount of EUR 200 or more that are covered by the injunction, the consideration of existing negative creditworthiness information, as can be derived from the information available in the group of companies as well as from the information provided by the credit bureau, does not appear to be entirely unsuitable for credit checks. This is also not claimed by the plaintiff association. Especially in the case of very low loan amounts (from EUR 200) it is not evident that additional knowledge of the net income (at least, unless it is associated with a detailed survey of all, even minor financial burdens) necessarily enables a more reliable assessment than the query whether due to existing “negative creditworthiness information”, the collectability of even very small loan amounts must be called into question from the outset. The same considerations apply to the need to identify the consumer's realizable assets.<br />
[70] 5.3. Whether the business practice objected to by the plaintiff association, when granting partial payment options in addition to obtaining information from an external credit agency, not to obtain information about the income and / or asset situation of consumers, violates § 7 VKrG, cannot be answered in general, but depends on the circumstances of the case.<br />
[71] It cannot be ruled out that the partial payment options granted by the defendant exist in which it is necessary to obtain information about the income situation or the financial situation of the consumer or about both. However, the request for an injunction does not focus on more specific cases, but aims to forbid the defendant, in all cases, from agreeing on partial payment purchases or partial payment options with consumers with a total credit of at least EUR 200, without information on the income situation and / or their financial position to catch up.<br />
[72] However, this request is not justified because of the discretion granted to the lender in the credit check. The revision is therefore justified insofar as it is directed against the prohibition of the objected business practice 1. The judgment of the first court had to be restored to this extent.<br />
<br />
[73] B. On the plaintiff's appeal:<br />
[74] The appeal by the plaintiff is permissible because the active legitimation of the plaintiff association according to §§ 28a, 29 KSchG to assert violations of the GDPR has not been conclusively clarified.<br />
[75] Regarding the performance period (Clause 1):<br />
[76] The appellate court set the deadline for the omission of the use and the appeal to the clause 1 because of the necessary organizational measures for the EDP conversion with six months. Such a necessity is understandable in the present case, in which the inadmissible clause also affects the settlement of all ongoing partial payment contracts (see RS0041265 [T12]). The performance deadline set by the court of appeal is therefore not objectionable in the present individual case.<br />
[77] Regarding business practice 2:<br />
[78] The defendant's business practice of carrying out the credit check when lending is based on a scoring without giving the consumer the right to express his own point of view and contest his classification is objected to.<br />
[79] With this request for an injunction, the plaintiff did not object to the "internal scoring" practiced by the defendant, but to the decision based on the classification made by the external credit agency. The procedure violates Art 22 GDPR for reasons explained in detail.<br />
[80] The defendant objected that the plaintiff association was not granted any active legitimation regarding data protection information obligations. The alleged violation of Art 22 GDPR did not exist.<br />
[81] The first court dismissed the claim because the defendant's approach was in accordance with Section 7 VKrG and Article 22 GDPR.<br />
[82] The appellate court confirmed the dismissal of the action on the grounds that the plaintiff association lacks the active legitimation to assert data protection violations.<br />
[83] As a significant legal issue, the appeal claims that the appellate court disregarded the fact that the systematic violation of Art 22 GDPR occurred in connection with consumer credit relationships, so that the collective action according to § 28a KSchG was opened.<br />
[84] 1. In proceedings 6 Ob 77 / 20x, the Supreme Court submitted the following question to the European Court of Justice for a preliminary ruling (RS0133358):<br />
Are the regulations in Chapter VIII, in particular in Art. 80 Paragraphs 1 and 2 and Art. 84 Paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons during processing personal data, on the free movement of data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation, OJ L 119/1 of May 4, 2016, p. 1; hereinafter "GDPR") contrary to national regulations that - in addition to the powers of intervention of the supervisory authorities responsible for monitoring and enforcement of the regulation and the legal protection options of the data subjects - on the one hand, to grant competitors and, on the other hand, the authority to associations, institutions and chambers authorized under national law, regardless of the violation of specific rights of individual data subjects, because of violations of the GDPR and without the instruction of a person concerned against the infringer by way of an action before the civil courts under the Ges Prohibition of engaging in unfair business practices or violating consumer protection law or prohibiting the use of ineffective general terms and conditions?<br />
[85] 2.1. The plaintiff in the present proceedings is the same association authorized to take legal action under § 29 KSchG who intervenes on 6 Ob 77 / 20x - there based on § 28 KSchG. In the present proceedings, based on § 28a KSchG, he seeks the omission of a business practice used by the defendant in connection with consumer credit relationships, which violates the GDPR.<br />
[86] 2.2. The question of whether the plaintiff is legitimized to assert violations of the GDPR by way of a representative action according to § 29 KSchG is also relevant for the decision of the present legal dispute, because the question of whether the Union legislature with the legal protection instruments provided for in the GDPR is possibly a wanted to create a final regulation for the enforcement of data protection violations, also for lawsuits against business practices that are in connection with the legal relationships mentioned in § 28a KSchG, is essential for the decision.<br />
[87] For example, the Supreme Court referred its request for a preliminary ruling on 6 Ob 77 / 20x also to the representative action "from the point of view of a violation of a consumer protection law" - i.e. in accordance with § 28a KSchG - (cf. . 2020, I ZR 186/17 [Rz 47, 57 ff]).<br />
[88] 3. The Supreme Court of Justice has to assume a general effect of the preliminary ruling of the European Court of Justice and to apply this also for other than the immediate case. For reasons of process economy, the present procedure must therefore be interrupted (RS0110583).<br />
<br />
[89] C. Regarding the publication requests:<br />
[90] Because of the interruption of the proceedings with regard to the request for an injunction regarding business practice 2 (violation of the GDPR), the requests for publication made by both parties cannot be conclusively decided. A partial judgment is not appropriate here because further publication after the final judgment is available would entail additional costs that would not be incurred in the case of joint publication (Ciresa, Handbuch der Judgment Publication4 [2017] margin no. 4.28; RS0079937 [T1]).<br />
<br />
[91] D. Decision on costs:<br />
[92] The reservation of costs is based on Section 52 (4) ZPO.<br />
<br />
<br />
European Case Law Identifier<br />
ECLI: AT: OGH0002: 2021: 0060OB00048.21H.0806.000<br />
<br />
<br />
</pre></div>JShttps://gdprhub.eu/index.php?title=Datatilsynet_(Norway)_-_21/00045&diff=20188Datatilsynet (Norway) - 21/000452021-09-29T08:28:36Z<p>JS: Very good and high quality summary - great work! Only changed "he/his" to "they/their" as we use it for gender neutrality of data subjects; Also moved content from comments section to the DPAs/Boards Position (since these were not 'own' opinions)</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Norway<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoNO.png<br />
|DPA_Abbrevation=Datatilsynet (Norway)<br />
|DPA_With_Country=Datatilsynet (Norway)<br />
<br />
|Case_Number_Name=PVN-2021-06 (Datatilsynet 21/00045)<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Privacy Appeals Board (Personvernrådet)<br />
|Original_Source_Link_1=https://pvn.no/pvn-2021-06<br />
|Original_Source_Language_1=Norwegian<br />
|Original_Source_Language__Code_1=NO<br />
<br />
|Type=Complaint<br />
|Outcome=Rejected<br />
|Date_Decided=22.06.2021<br />
|Date_Published=22.06.2021<br />
|Year=2021<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 15(1) GDPR<br />
|GDPR_Article_Link_1=Article 15 GDPR#1<br />
|GDPR_Article_2=Article 55 GDPR<br />
|GDPR_Article_Link_2=Article 55 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Rie Aleksandra Walle<br />
|<br />
}}<br />
<br />
The Norwegian Privacy Appeals Board rejected a complaint where a data subject asked the DPA to require Microsoft to uncover the identity (via IP addresses used at login) of alleged hackers of their Hotmail account.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
After reviewing their Microsoft Hotmail account login activity, a data subject believed that the account had been hacked as the list of IP addresses showed unlawful logins and email activity. The data subject asked Microsoft support for help to identify these IP addresses, both in terms of the IP "owner" and the login location. Microsoft rejected the request.<br />
<br />
The data subject then required assistance of the Norwegian DPA, based on GDPR rights. The DPA denied the request as per [[Article 55 GDPR|Article 55 GDPR]], stating that the GDPR does not apply to his situation. In this regard, the DPA noted that IP addresses may be personal data as per [[Article 4 GDPR|Article 4(1) GDPR]] and that the data subject indeed has a right to obtain these from Microsoft - however only as far as it concerns his own personal data. According to [[Article 15 GDPR|Article 15(1) GDPR]] where a data subject's access right pertains to their personal data, not the personal data of someone else. Consequently, the DPA stated that they are not competent to instruct Microsoft to hand over this information.<br />
<br />
The data subject lodged a complaint to the DPA about their decision, however, the DPA upheld their decision and it was (as per Norwegian law) referred to the Privacy Appeals Board.<br />
<br />
=== Holding ===<br />
The Privacy Appeals Board agreed with the DPA and rejected the data subject's complaint. The Privacy Appeals Board noted that regardless of the data subject's claim, it's not Microsoft who has the list of IP addresses matched with identity, but internet providers (for limited time). Further, they note that it's usually difficult to determine the location of an IP address, especially if someone uses a mobile phone and VPN (Virtual Private Network).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.<br />
<br />
<pre><br />
Decision of the Privacy Board 22 June 2021 (Mari Bø Haugstad, Bjørnar Borvik, Line Coll, Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem, Morten Goodwin)<br />
The case concerns an appeal from A against the Data Inspectorate's decision of 23 March 2021 not to provide access to personal information related to IP addresses.<br />
Background to the case<br />
A contacted Microsoft Corporation Support in December 2020 and requested an overview of "login activity" on his Microsoft hotmail account. He was given a list of IP addresses showing logins to his e-mail account in 2019-2020. A believes that there have been unauthorized logins to his e-mail account during this period and asked Microsoft for help in identifying the IP addresses, both who was the "owner" of the IP addresses and the place where the machine used to log in was located . Microsoft Corporation denied A request.<br />
A contacted the Data Inspectorate on 13, 15, 17, 19 and 22 December 2020. He requested the Authority's assistance in obtaining the identity of the person (s) associated with the IP address (es) who have logged in to his Microsoft hotmail account from abroad in 2019-2020. He also wanted information about all activity on the e-mail account during this period to find out if he had been the victim of identity theft and if e-mails had been sent in his name that he was not familiar with.<br />
On 1 February 2021, the Norwegian Data Protection Authority made the following decision to reject the complaint:<br />
"The complaint is rejected because the Data Inspectorate cannot see that the complaint deals with matters regulated by the Privacy Ordinance. The Data Inspectorate therefore does not have the competence to process the case in accordance with the Privacy Ordinance art. 55. »<br />
A submitted a timely appeal against the Data Inspectorate's decision on 8 and 12 February 2021.<br />
The Data Inspectorate assessed the complaint, but found no reason to change its decision. The case was sent to the Privacy Board on March 26, 2021. A was informed of the case in a letter from the board on April 6, 2021, and was given the opportunity to comment. A has in a letter dated 23 April 2021 given his comments.<br />
The case was considered at the tribunal's meeting on 22 June 2021. The Privacy Committee had the following composition: Mari Bø Haugstad (chair), Bjørnar Borvik (deputy chair), Line Coll, Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem and Morten Goodwin. Secretariat leader Anette Klem Funderud was also present.<br />
The Data Inspectorate's assessment in outline<br />
The Data Inspectorate's task is to control the personal data regulations so that individuals are not violated through the use of information that can be linked to them. It follows from the Personal Data Act and the Privacy Ordinance that it must be a matter of processing personal data in order for the regulations to be applied.<br />
The Norwegian Data Protection Authority stipulates that the data subject has the right to access personal data about himself or herself pursuant to Article 15 no. 1 of the Privacy Ordinance, unless one of the exceptions in the Personal Data Act § 16 first paragraph letters a to f applies.<br />
The Data Inspectorate understands A's complaint so that he wants access to other people's personal information, ie the person (s) who owns the IP address (es) that have been used for what he believes are suspicious logins on his hotmail account. The right to access other people's personal data is not regulated in the Privacy Ordinance or in the Personal Data Act, and the Data Inspectorate therefore has no competence to order Microsoft to disclose this.<br />
A has asked the Authority for assistance in accessing information about activity on his e-mail account. The right of access in Article 15 applies to access to one's own personal data, not other types of data.<br />
The Norwegian Data Protection Authority points out that IP addresses can be regarded as personal data pursuant to Article 4 (1) of the Privacy Ordinance and that A has the right to have these disclosed from Microsoft, as long as it concerns his own personal data. The Norwegian Data Protection Authority assumes that he has received this from Microsoft. The Norwegian Data Protection Authority does not have the competence to require Microsoft to provide A with access to information other than personal information about himself.<br />
The Data Inspectorate rejects A's complaint because the complaint does not concern matters regulated by the Privacy Ordinance. The Norwegian Data Protection Authority therefore does not have the competence to process the case pursuant to Article 55 of the Privacy Ordinance.<br />
A view of the matter in brief<br />
He has received a list from Microsoft Corporation of IP addresses for logins to his e-mail account in 2019-2020 which shows that unknown individuals have logged in to the e-mail account from machines outside Norway. There is one IP address in particular associated with a computer in the Netherlands that A finds suspicious. He has lived and stayed in Norway throughout this period.<br />
Someone has illegally hacked his email account and probably sent emails in his name without his knowledge. This is illegal. Identity theft is punishable. He wants to report the case to the police and possibly file a compensation case and then he needs to know the identity of the people who hacked his e-mail. He wants the Data Inspectorate to find and disclose the identity of the people who own the specified IP addresses and find out what they have done with his e-mail account.<br />
When the Data Inspectorate refuses to disclose this information, the Authority protects these persons against criminal prosecution.<br />
The Privacy Board's assessment<br />
The Privacy Ordinance applies to fully or partially automated processing of personal data, cf. the Personal Data Act § 2. IP addresses will, depending on the circumstances, be regarded as personal data according to the Privacy Ordinance Article 4 No. 1 and Microsoft's processing of the IP addresses used to log in. As e-mail account represents a processing of personal data that is covered by the law and the Privacy Ordinance.<br />
The tribunal assumes that A's complaint to the Norwegian Data Protection Authority concerns two different matters;<br />
1. A wants information about the identity of the persons associated with the various IP addresses that are on the list of logins on his e-mail account where the machine used has been outside Norway, and<br />
2. A wants information about all activity on his e-mail account during the periods when the machine used to log in to his e-mail account is located outside Norway<br />
The tribunal initially notes that it is not the e-mail provider Microsoft Corporation that has information about which persons are associated with the various IP addresses that are registered. It will be the various internet providers who, for a limited period, have an overview of personal information belonging to specific IP addresses. Furthermore, the tribunal notes that it will often be difficult to determine with certainty the location of an IP address, especially if a mobile phone and VPN (Virtual Private Network) are used.<br />
The question for the tribunal is whether the Privacy Ordinance gives A the right to access the identity of the persons behind the IP addresses who have logged in to his e-mail account.<br />
Pursuant to Article 15 (1) of the Privacy Ordinance, the person about whom information is processed, in the Act referred to as "the data subject", has the right of access. The right of access includes confirmation of whether personal data about the person in question is processed, and, if this is the case, access to the personal data and also such information as follows from letter a-h in the provision.<br />
Article 15 of the Privacy Regulation does not give the right to access personal information about other persons. Neither the Personal Data Act nor the Privacy Ordinance gives A the right to receive information from the data controller about which persons can be linked to different IP addresses. It is the police who, if the conditions are otherwise met, will be able to request the disclosure of such information in accordance with the provisions on search in the Criminal Procedure Act, Chapter 15. However, as pointed out above, such an inquiry must be directed to the relevant ISP and not to Microsoft.<br />
A will have the right to access registered activities on his e-mail account and the tribunal assumes that he will be given an overview of activities if he directs an inquiry to Microsoft Corporation. However, it will not involve information about which people are associated with the various activities.<br />
The tribunal agrees with the Norwegian Data Protection Authority that the Privacy Ordinance does not give A the right to demand access and disclosure of other people's personal data, but considers this a material assessment of whether the conditions for access under Article 15 are met - and not grounds for rejection.<br />
Conclusion<br />
A is not entitled to further access under Article 15 of the Privacy Ordinance.<br />
The decision is unanimous.<br />
Oslo, 22 June 2021<br />
Mari Bø Haugstad<br />
Manager<br />
<br />
</pre></div>JShttps://gdprhub.eu/index.php?title=BVwG_-_W274_2237071-1&diff=20186BVwG - W274 2237071-12021-09-29T08:10:40Z<p>JS: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=BVwG<br />
|Court_With_Country=BVwG (Austria)<br />
<br />
|Case_Number_Name=W274 2237071-1<br />
|ECLI=ECLI:AT:BVWG:2021:W274.2237071.1.00<br />
<br />
|Original_Source_Name_1=RIS<br />
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=1e160388-0af9-477f-89b7-e5e6c80b2e83&Position=1&SkipToDocumentPage=True&Abfrage=Bvwg&Entscheidungsart=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=&BisDatum=&Norm=DSGVO&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=BVWGT_20210621_W274_2237071_1_00<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=21.06.2021<br />
|Date_Published=22.09.2021<br />
|Year=2021<br />
<br />
|GDPR_Article_1=Article 12(2) GDPR<br />
|GDPR_Article_Link_1=Article 12 GDPR#2<br />
|GDPR_Article_2=Article 12(6) GDPR<br />
|GDPR_Article_Link_2=Article 12 GDPR#6<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The Federal Administrative Court of Austria (BVwG) decided that a union which terminates a membership of a data subject also needs to comply with the data subjects request for erasure without additional proof of identity.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
After multiple years as a member of a union the data subject decided to quit and sent the union a letter requesting termination of the membership and the deletion of personal data. Among other information the letter contained the membership number and the handwritten signature of the data subject.<br />
<br />
The union immediately terminated the membership of the data subject. In terms of the erasure request, however, the union asked for a copy of the ID of the data subject in order to progress with the deletion. Although the name and membership number were known to the union, it could not verify that also the signature on the letter was from the data subject.<br />
<br />
The union argued that although the data subject stated to be known to the union due to their long membership, the size of the union with over 1.2 million members and different administrative responsibilities did not constitute a personal relationship with the data subject. Moreover, the consequences of the data deletion would be severe compared to a resignation given that the data was necessary for a later re-entry in the union to continue the data subject’s membership. Therefore, and in accordance with [[Article 12 GDPR#6|Article 12(6) GDPR]] additional measures of identification were required.<br />
<br />
The data subject refused to provide a copy of the ID seeing a contradiction in providing even more data to achieve its deletion. The data subject argued that sending a copy of the ID does not mean any higher degree of reliability or proof of identity since it could be stolen, forged or used by another person. According to the GDPR additional information may only be requested if there are reasonable doubts about the identity of the natural person which does not allow for routine identity checks in all data subjects' rights.<br />
=== Holding ===<br />
The BVwG ruled that the union unjustifiably requested proof of identity of the data subject and had not dealt with the latter's request for deletion. In this regard, it followed a previous position of the Austrian DPA according to which the union had not informed the data subject about why it had reasonable doubts regarding their identity.<br />
<br />
The Court held that since the union did not doubt the identity of the person with regard to their resignation, it cannot raise such doubts regarding to the deletion of personal data in terms of [[Article 12 GDPR|Article 12(6) GDPR]]. A ''bona fide'' recipient can be either be in doubt with the identity of the declarant or not.<br />
<br />
Any further request for proof of identity contradicts the facilitation requirement of exercising data subjects right pursuant to [[Article 12 GDPR#2|Article 12(2) GDPR]]. The union had therefore violated the data subject's right to erasure by not dealing with the content of the data subject's request for erasure pursuant to [[Article 17 GDPR|Article 17 GDPR]].<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
court<br />
Federal Administrative Court<br />
<br />
<br />
Decision date<br />
June 21, 2021<br />
<br />
<br />
Business number<br />
W274 2237071-1<br />
<br />
<br />
Saying<br />
W274 2237071-1 / 10E<br />
<br />
IN THE NAME OF THE REPUBLIC!<br />
The Federal Administrative Court recognizes through the judge Mag.LUGHOFER as chairman and the expert lay judges Prof. KommR POLLIRER and Mag.PORICS as assessors on the complaint of the XXXX represented by FREIMÜLLER / OBEREDER / PILZ Rechtsanwältin GmbH, Alserstraße 21, 1080 Vienna, against the decision of Data protection authority, Barichgasse 40-42, 1030 Vienna, from October 9th, 2020, GZ: D124.1474 / 0003-DSB / 2019, participant XXXX, represented by Dr. Mag. XXXX, lawyer, Kolingasse 11/15, 1090 Vienna, due to violation of the right to erasure, right after a public hearing:<br />
The complaint will not be followed.<br />
The revision is not permitted according to Art. 133 Para. 4 B-VG.<br />
<br />
<br />
<br />
text<br />
Reasons for the decision:<br />
With a complaint dated October 1, 2019, XXXX (hereinafter: participant, MB) turned to the data protection authority (hereinafter: authority concerned) and claimed that when he terminated his membership in XXXX, he had asked for his personal data to be deleted and for confirmation thereof . In addition, he stated in his letter of July 11, 2019 that he saw no reason to doubt his identity. In the relevant reply from XXXX, doubts about the identity were again reported and he was asked to submit a new copy of his ID.<br />
As a decade-long member of the XXXX, the MB is known from frequent earlier contacts, for example from proceedings at the labor and social court, the granting of legal protection by the XXXX, legal advice, etc. On the occasion of his termination, the XXXX immediately implemented his revocation regarding the authorization to have the membership fee withheld by his pension-paying office. The MB sees a contradiction to the applicable data protection law to have to provide further data in order to be able to obtain a deletion.<br />
At the request of the authority concerned, the XXXX (hereinafter: complainant, BF) - represented by a lawyer - commented on November 5, 2019 as follows:<br />
The XXXX does not have its own legal personality, which is why the BF is responsible for the data applications in question in its sub-union.<br />
In the course of the implementation of the GDPR, the BF adjusted the process organization for the correspondence of deletion requests within the meaning of Art. 17 GDPR. He continues to insist on providing suitable proof of identity before irretrievably deleting membership data and other special categories of personal data in accordance with Art. 9 GDPR.<br />
The BF had a manually signed request for deletion. The XXXX asked the BF to send a copy of an official photo ID in order to be able to comply with the request for deletion. In fact, the XXXX knew a person with the name of the MB, but the XXXX had decided not to comply with a request for deletion without submitting a copy of the ID, as it could not be ruled out that the present signature came from another person. If the person concerned states that the XXXX / XXXX must be known to the XXXX / XXXX as a decade-long member from previous contacts, the size of the organization and the different responsibilities should be pointed out. Even if the data of the MB can be called up through the name or the membership number, nothing can be deduced from the identity of the MB. Membership administration and data deletion take place centrally, the persons involved have no personal relationship with the BF. The BF has 1.2 million members, a personal acquaintance of the responsible persons in the member administration to each individual member is to be excluded.<br />
With regard to "the objection to the suspension of the withholding of the membership fee", it is an internal decision of the association. The consequences of an exit - in which the identity is not checked more closely - appeared to be much smaller than the consequences of data deletion. After leaving, a re-entry with crediting of the previous membership is possible without any problems; data deletion is final. A restoration and crediting of previous memberships would no longer be possible, whereby all benefit claims associated with the duration of the membership expire. In the event of a re-entry after deleting the data, this person would have to start “from scratch”. Against this background, it is justified to forego proof of identity in the event of a mere termination of membership, but to insist on proof of identity in the event of irrevocable data deletion.<br />
Since the question of whether requests for deletion with regard to special categories of personal data must only be complied with after submission of suitable proof of identity does not only concern the BF, but is also of general interest, the BF is requesting advice within the meaning of Art. 57 Para. 1 lit.<br />
The MB had already asked a similar question in proceedings DSB-D123.918 / 0003-DSB / 2019, namely in relation to requests for information. In its decision of August 1, 2019, the authority in question determined that the person responsible could request additional information in accordance with Art. 12 (6) GDPR that was necessary to confirm the identity of the person concerned, if he had reasonable doubts about the identity of the person concerned when the person responsible can assign data in the inventory to the person concerned, but it is unclear whether the applicant is this person concerned. According to the case law of the VwGH, a high degree of reliability with regard to proof of identity is required. The indication of the name and address in connection with the mention of the membership number indicates a certain probability that the request for information is that of the complainant. However, a high degree of reliability cannot be assumed. This decision has become legally binding.<br />
In the opinion of the BF, the principles of this decision can be freely transferred to the present case, which is why the BF has not been obliged to delete data so far. However, the BF is always ready to comply with the request for deletion as soon as the MB has proven his identity beyond any doubt.<br />
In a letter dated November 8, 2019, the authority concerned informed the MB of the results of the investigation and pointed out that it seemed justified for the respondent there (now the BF) to request a copy of a suitable proof of identity in order to assign reasonable doubts about an identity remove. According to the preliminary legal opinion of the authority concerned, the complaint would have to be dismissed.<br />
In a letter dated November 30, 2019, the MB stated that the clerk could be a new tenant or roommate at the address in question, who had found his data and copies of his ID and had now approached the BF "in his name". Even if the writer sends a copy of an official ID card, there is in no way a high degree of reliability with regard to proof of identity from his point of view. An ID card could also have been alienated or forged. Incidentally, in his multiple letters, the BF never substantiated the doubts he harbored about identity. The BF explained that he had adjusted the organization of the process so that when membership data and other special categories of personal data were requested to be deleted, there was a "general" insistence on the submission of proof of identity. For the purposes of the GDPR, however, additional information may only be requested if there are reasonable doubts about the identity of the natural person. This therefore implies a case-by-case examination. Art. 12 GDPR does not aim to ensure that identity checks are routinely provided for every case of the assertion of data subject rights.<br />
Incidentally, according to the legal opinion of the MB, a termination of membership, which has already occurred, also implies the legal obligation to delete data if it is no longer necessary for the purpose for which it was collected. In this regard, it is irrelevant whether a person re-enters "from scratch". Incidentally, in the sense of the case law of the VwGH, a copy of the document is not suitable in order to be able to assume a high degree of reliability with regard to identifiability. It is therefore also inappropriate for the BF to request a copy of the ID in order to remove doubts about the identity. The XXXX sent their letter to the MB dated July 25, 2019 by means of registered RECO as a priority letter, consignment number R0588075870AT. This was delivered and documented against I-proof and signature. At this point in time, XXXX could already assume that proof of identity had been provided. The MB still sees a contradiction to the applicable data protection law to have to provide further additional data.<br />
With the contested decision, the authority in question upheld the complaint and found that the BF had thereby violated the MB's right to erasure by unjustifiably requesting proof of identity from the MB and not dealing with his request for deletion.<br />
The BF is also instructed to comply with the MB's request for deletion within a period of four weeks or to inform the MB of the reasons for not complying with the request for deletion. <br />
The authority in question first established that the MB had been a member of the XXXX for years, which was part of the BF's organization without legal personality. It also determined the content of the letter of the MB to the BF dated May 14, 2019 and that of the BF to the MB dated June 17, 2019. Legally, she then stated that the BF was the person responsible within the meaning of Art 4 Z 7 GDPR.<br />
According to Art. 17 Para. 1 GDPR, every person concerned has the right to request the deletion of their personal data from a person responsible. The right to erasure in accordance with Art. 17 GDPR is one of the rights of the data subject. The modalities for exercising the rights of the data subject are regulated in Art. 12 GDPR. According to Art. 12 (2) GDPR, the person responsible has to make it easier for the data subject to exercise his or her rights. If the person responsible has justified doubts about the identity of the natural person making the application, he can request additional information required to confirm the identity of the person concerned in accordance with Art. 12 (6) GDPR.<br />
The VwGH held on the requirement of proof of identity in relation to the legal situation according to the DSG 2000: The provision of § 26 DSG 2000 has the clearly recognizable purpose of preventing any abuse of the right to information by third parties to obtain information. Without proof of identity, a client may not transmit any data to the information applicant - from whom he can only assume at this moment that he is actually the person concerned - because otherwise he could violate data secrecy in accordance with Section 15 (1) DSG 2000.<br />
Proof of identity must be provided in a form that enables the client to check the identity of the information seeker with the person whose data is the subject of the information. With regard to the objectives of the law and to prevent abuse, a high degree of reliability with regard to proof of identity is required (VwSlg 19.411A / 2016).<br />
These considerations could be transferred to the new legal situation, since nothing has changed in the purpose of the counterpart regulation for establishing identity according to Art. 12 (6) GDPR.<br />
However, the obligation of the data subject to disclose their identity when requesting information has not been incorporated into the GDPR. The request for additional information is only permissible if there are reasonable doubts about the identity of the information seeker. Since both the right to information and the right to deletion are part of the rights of the data subject and therefore Art. 12 GDPR is equally relevant for both rights, the case law cited in this context on the right to information is also applicable to the right to deletion. It follows from this that the general request for the submission of proof of identity is not permissible, but that it always has to be a decision on a case-by-case basis. This also applies if it concerns data of special categories according to Art. 9 GDPR.<br />
The MB had submitted his request for deletion in writing by letter, which he personally signed and in which he had given his membership number in the subject. The termination of the MB had been complied with without further proof of identity. The BF also did not inform the MB why there were reasonable doubts about the identity. In the present case, therefore, it cannot be assumed that there were justified doubts about the identity of the MB within the meaning of Art. 12 (6) GDPR, which is why the further request for proof of identity contradicted the relief requirement under Art. 12 (2) GDPR. The BF therefore violated the MB's right to erasure by not dealing with the content of its request for deletion in accordance with Art. 17 GDPR, thus not complying or not giving the MB any reasons why the request for deletion was not being complied with.<br />
The BF's complaint against this notification is directed against the incomplete determination of the facts and an incorrect legal assessment with the request to rectify the notification and establish that the BF is not responsible for any violation of the rights of the person concerned.<br />
The authority concerned submitted the complaint, including the electronic administrative file, with the application to reject the complaint, to the administrative court on November 19, 2020. Reference is made in full to the contested decision.<br />
In a communication dated December 22nd, 2020, the BF "repeated" his application for an oral hearing, which was made by a witness in the complaint.<br />
With the completion of March 9, 2021, the BF was instructed to disclose within the deadline those person (s) as witness (s) who had doubts as to whether the letter of July 11, 2019 was signed or sent by the MB.<br />
An announcement was not made.<br />
With a - now legal - statement of March 25, 2021, the MB submitted that a comparison of the letter regarding termination or deletion on the one hand and the membership application did not reveal any differences in the names that could arouse justified doubts.<br />
Furthermore, the BF sent the MB a registered letter on July 25, 2019, which the MB received with proof of his identity, which the BF had also become aware of, so that the BF had confirmation of the MB's identity at the latest with the successful delivery in this regard obtain.<br />
With the acceptance of the termination, the membership relationship between the MB and the BF ended. This also meant that the BF's legal interest and thus the right to store the data were no longer applicable. The legal consequences of the termination weigh much more heavily than those of a deletion, since the rights to support of the MB ended with it. The argumentation of the BF would make countless requests for data deletion difficult or delay, because deleting the data in the event of a renewed business relationship could lead to disadvantages for the customer.<br />
On April 22nd, 2021, a public hearing took place before the administrative court, in which the case was discussed and the witness Mag. XXXX was questioned.<br />
In addition, the BF submitted that the delivery of a registered letter was not suitable for establishing an identity, because such a letter could be accepted by anyone living in the same household. The deletion of the data is more important than the mere acceptance of the termination, because a termination wrongly pronounced by a third party is at best reversible. The deletion of data is irrecoverable and the associated claims are lost forever. It concerns sensitive data within the meaning of Art. 9 GDPR, which is why special care is associated with it.<br />
The procedure at issue here is the one generally used by the BF, because deletion is irretrievable. One invokes the legal interest that, in the event of a re-entry, the previous times are taken into account. However, if a termination is accepted without deletion, access to this data will be administratively restricted.<br />
Due to the intervention of the representative of the MB, the doubts about the identity of the MB were in any case dispelled, because the MB representative was obliged for professional reasons to check the identity of his client. There is therefore no longer any doubt. However, the data have not yet been deleted because if the MB were to dismiss the legal protection interests, the BF could be interested in a final legal clarification.<br />
The MB also submitted that if the termination were accepted, the BF's right to data storage would be lost. If the BF were of the opinion that it would have been entitled to such an identity verification procedure, this would have to have taken place before acceptance of the termination of membership.<br />
A possible legal interest in the consideration of past times is a legal interest of the member, but not of the XXXX. Here the data protection officer is referring to a legal interest of the data protection officer.<br />
In any case, there could currently no longer be any legal interest in data storage relating to the MB. The interest in the clarification of a legal question could in no way mean a legitimate interest in the further storage of the data in the situation described by the BFV, according to which the BFV itself now considers the data to be ready for deletion, even according to its strict conception.<br />
The complaint is not justified:<br />
The following facts are established:<br />
The XXXX is a branch union of the BF without its own legal personality.<br />
The MB registered on June 28, 2006 as a member of the branch union of the BF XXXX on a form from the XXXX. There it appears with the data "XXXX, born XXXX, XXXX, department XXXX". The membership registration is signed by hand. "Joined from July 1st, 2006" is filled out.<br />
Attached to the membership registration is an authorization of the MB, directed to the accounting department of XXXX, to transfer the union contribution from its earnings to the XXXX. The MB also signed the declaration that in this context necessary data of the MB will be forwarded to XXXX with automated support (Enclosure ./B).<br />
In a letter sent by post and signed by hand on May 14, 2019, the MB informed the XXXX, stating its membership number, that it was terminating its membership and, in the course of this, requested the deletion of its data:<br />
XXXX.<br />
May 14, 2019.<br />
To XXXX.<br />
Regards:<br />
Termination of membership no. XXXX.<br />
Ladies and gentlemen!<br />
I am canceling my membership at XXXX. At the same time, I revoke the authorization granted to withhold the union contribution from my pension and have it transferred by my pension-paying office.<br />
After termination of my membership, please delete all of my stored personal data in accordance with the General Data Protection Regulation (GDPR) and Data Protection Act (DSG).<br />
Please send me a written confirmation.<br />
Best regards<br />
XXXX "<br />
The signature is illegible.<br />
On May 17th, 2019, the membership administration of XXXX sent a letter to the MB with the following content:<br />
“Dear colleague XXXX!<br />
We take note of your resignation with regret. We will initiate the implementation of your concerns immediately.<br />
With union greetings "<br />
The XXXX informed the BF in a letter dated June 17, 2019 that his termination had been carried out and asked for a copy of his ID card and his membership number to be sent:<br />
The membership number is already listed on the letter of XXXX above the address of the BF:<br />
"XXXX,<br />
Mr. XXXX<br />
06/17/2019<br />
Leaving and deleting data.<br />
Dear colleague XXXX!<br />
We regret that you are leaving the XXXX. However, we immediately complied with your request to note your withdrawal. Since the union must treat member data as particularly sensitive personal data in accordance with the statutory provisions, it is necessary that you clearly identify yourself to implement the deletion request so that we can comply with your request for data deletion.<br />
We therefore ask you to enclose a copy of your ID with your new written request for data deletion and to state your membership number. Only then can we consider your request for deletion as having been made and check its content.<br />
A copy of your ID must therefore be sent together with your data deletion request either via email to datenschutzmanager XXXX or by post to XXXX.<br />
We would like to point out that if data can be deleted, we will no longer be able to credit you for pre-membership periods in the future in the event of a new entry. Any claims that may otherwise arise or exist, such as legal protection or support services, therefore expire without exception.<br />
With the request for information, we remain with union greetings<br />
XXXX<br />
Head of Member Administration<br />
XXXX Head of Organization and Economy. "<br />
On July 11, 2019, the MB sent a letter to XXXX with the following content:<br />
"Subject: renewed request for data deletion - XXXX,<br />
Your letter dated June 17th, 2019.<br />
Ladies and gentlemen!<br />
According to the General Data Protection Regulation, the request for proof of identity in the form of a copy of an ID is no longer provided. This is only possible in exceptional cases, e.g. if there are clear doubts about the identity. In this case, you would have to justify and prove this clear doubt about your identity.<br />
I have sent you my resignation letter, quoting the membership number, handwritten signature and the revocation of the authorization to withhold the union contribution from my pension.<br />
Since this revocation has now also been implemented (the pension-paying office will no longer retain anything for the XXXX), I see no reason to argue against data deletion.<br />
In addition, it is somewhat surprising that, after this implementation, I should now provide you with further personal data in order to be able to comply with my request for deletion.<br />
Sending a copy of your ID card by email, among other things, would have to be viewed critically from a data protection point of view anyway.<br />
Thus, my renewed request for the deletion of all of my personal data in accordance with the General Data Protection Regulation and the Data Protection Act is issued.<br />
Please send me a confirmation that it has been carried out. "<br />
In a letter dated July 25, 2019, the data protection manager of XXXX replied as follows:<br />
"Your letter from 07/11/2019.<br />
Dear Mr. XXXX!<br />
You have requested the deletion of all data stored about you, which we have responded to by asking you to submit an official photo ID to prove your identity. In a letter dated July 11, 2019, you informed us that sending photo ID is not a formal requirement for deletion and that you do not want to send us any ID.<br />
According to the provisions of the GDPR, we are obliged to use all reasonable means to check the identity of the person who is asserting a right to be affected. The standard of care will be higher, the more sensitive the data recorded by a deletion request are.<br />
It is therefore necessary, in those cases in which the identity of (the) data subject is not fully proven, to request a copy of their ID or a similar type of identification, as provided by the data protection authority itself in its templates. We therefore assume that the transmission of a copy of your ID is an appropriate, target-oriented and necessary measure in order to fulfill our obligations and to protect your interests.<br />
You have signed your letter by hand, but we cannot assign the signature to you with a high degree of certainty. Therefore, we must continue to insist on a secure identification of you.<br />
We therefore have to ask you again for a copy of your ID and remain with best regards<br />
Mag. XXXX, Mag. XXXX, data protection manager "<br />
It could not be ascertained that in the course of the processing of this matter, the BF's administrators had concrete doubts at any point that the author of the submissions from May 14, 2019 and July 11, 2019 was not the former member XXXX.<br />
At least since becoming aware of the intervention of the representative of MB Dr. Mag. XXXX, at the latest in the hearing on April 22nd, 2021, the BF no longer has any doubts about the identity of the MB as the author of the letters of May 14th, 2019 and July 11th, 2019.<br />
The BF promptly complied with the MB's resignation request on May 14, 2019. The revocation of the MB vis-à-vis its employer to withhold union fees and transfer them to XXXX has been implemented.<br />
Evidence assessment:<br />
The letters reproduced in the statements are in the file.<br />
The fact that the BF complied with the MB's membership termination promptly was expressly acknowledged in the letter from XXXX dated June 17, 2019. In this context, as well as based on the letter of the MB dated July 11, 2019, which was not opposed by the BF, it is also credible that the MB has revoked the withholding and transfer of the union fees by the employer and these debits were discontinued.<br />
The negative finding in relation to the fact that the BF's administrators had specific doubts that the letters dated May 14, 2019 or July 11, 2019 actually came from the MB, is based on the fact that, despite the BF's submission and an order, corresponding witnesses for the To name the hearing, the only named witness, Mag. XXXX, could not give any information about which organ administrator would have doubts about the identity of the intervener in relation to a signature comparison: "I am aware of the XXXX and departments for signature comparison not known. ”(Protocol from April 22nd, 2021, page 5). In addition, the BF disclosed that it was not concrete doubts about the signature of the letter of the MB, but the lived practice of the BF that was responsible for requesting an identification document from the MB before deleting the data (complaint page 3, last paragraph as well as Testimony of the witness Mag. XXXX, protocol page 6). The argument at the oral hearing that the data had not yet been deleted because the legal protection interest might have been lost if the MB were dismissed, but the BF might be interested in a final legal clarification, shows that there are no concrete doubts the identity of the MB but a legal clarification of the previous general procedure of the BF to delete data only after sending proof of identity, which was the reason for the previously refused deletion by the BF. Ultimately, the fact that the BF already took note of the resignation based on the letter of May 14, 2019 (letters of May 17, 2019 and June 17, 2019) and the request of the MB “complied” with concrete doubts about the identity of the MB because even in the event that the BF assesses the consequences of an exit as lower than those of a final data deletion, in the case of concrete doubts about the identity of the intervener, an implementation of the termination without further clarification of such doubts would not be assumed.<br />
The fact that the BF has had no doubts about the identity of the MB as the author of the letters of 11.07.2019 and 14.05.2019, at least since the oral hearing, is based on the express submissions of the BF during the hearing.<br />
Legally follows:<br />
According to Art. 6 Para. 1 GDPR, the processing is lawful if at least one of the following conditions is met:<br />
a) The person concerned has given their consent to the processing of their personal data for one or more specific purposes.<br />
b) The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures that are carried out at the request of the data subject;<br />
c) The processing is necessary to fulfill a legal obligation to which the person responsible is subject;<br />
d) the processing is necessary to protect the vital interests of the data subject or another natural person;<br />
e) The processing is necessary for the performance of a task that is in the public interest or is carried out in the exercise of official authority that has been assigned to the person responsible;<br />
f) The processing is necessary to safeguard the legitimate interests of the person responsible or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, outweigh this.<br />
According to Art. 9 Para. 1 GDPR, the processing of personal data from which racial and ethnic origin, political opinions, religious or ideological convictions or trade union membership emerge is prohibited.<br />
Paragraph 2 regulates the relevant exceptions, in particular letter a in the case of express consent.<br />
According to Art. 12 Para. 1 GDPR, the person responsible shall take appropriate measures to provide the data subject with all information in accordance with Articles 13 and 14 and all communications in accordance with Art. 15 to 22 and Art. 34 that relate to the processing in a more transparent, understandable and easily accessible form in clear and simple language. The information is transmitted in writing or in another form, possibly also electronically. If requested by the person concerned, the information can be given orally, provided that the identity of the person concerned has been proven in another form.<br />
According to Paragraph 2, the person responsible facilitates the exercise of the data subject's rights according to Articles 15 to 22. In the cases mentioned in Article 11 Paragraph 2, the person responsible may only refuse on the basis of the data subject's request for exercise of their rights to act according to Art. 15 to 22, if he proves credible that he is not able to identify the person concerned.<br />
...<br />
If the person responsible in accordance with Paragraph 6 has justified doubts about the identity of the natural person who makes the application in accordance with Articles 15 to 21, he can request additional information that is necessary to confirm the identity of the person concerned, without prejudice to Article 11 are.<br />
According to Art. 17 Para. 1 GDPR, the person concerned has the right to demand that the person responsible delete personal data concerning them immediately and the person responsible is obliged to delete personal data immediately if one of the following reasons applies:<br />
a) The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.<br />
b) The data subject revokes their consent on which the processing was based in accordance with Article 6 (1) (a) or Article 9 (2) (a) and there is no other legal basis for the processing.<br />
c) The data subject objects to the processing in accordance with Art. 21 Paragraph 1 and there are no overriding legitimate reasons for the processing or the data subject objects in accordance with Art 21 Paragraph 2.<br />
d) The personal data was processed unlawfully;<br />
e) The deletion of personal data is necessary to fulfill a legal obligation under Union law or the law of the member states to which the person responsible is subject.<br />
f) The personal data was collected in relation to information society services offered in accordance with Art 8 Paragraph 1.<br />
According to Paragraph 3, Paragraphs 1 and 2 do not apply if the processing is necessary in the cases of a) to e).<br />
The person responsible must make it easier for the persons affected by data processing to exercise their rights to information, correction, deletion, restriction, data portability and objection. This means that no further hurdles may be set up for the provision of information according to Art. 13 and 14 and notifications must be carried out in accordance with the legal requirements (e.g. missing or limited availability, cost-intensive communication, imprecise contact addresses, content or linguistic requirements are not observed) . If the person responsible cannot (no longer) identify the data subject because the identification is no longer necessary for the processing purpose, the person responsible can refuse to take action. In this case, rights of data subjects can naturally no longer be exercised, unless the data subject provides additional information that enables them to be identified. In these cases, the person responsible must make himself credible that he is not able to identify the person concerned (Illibauer in Knyrim, DatKom, Art. 12 GDPR, margin nos. 71 and 72).<br />
If the person responsible has justified doubts about the identity of the person making an application according to Art. 15-21 (whether an inquiring person is also the authorized person at the same time), he can request additional information that confirms the identity of the person concerned. According to the Austrian GDPR 2000, a form of identity determination that has been tried and tested, namely the obligation of the data subject to disclose his / her identity when requesting information, has not been incorporated into the GDPR. For the person responsible, it is difficult not only to have to determine the identity beyond doubt in advance, but also when there are well-founded doubts and when proof of identity can be requested. For all of this, he is also required to provide evidence. If he does not do this, personal data could have been disclosed in an inadmissible manner. If, for example, he asks for a copy of his ID without justified doubts, he could have made it more difficult to exercise the rights of the data subject and acted contrary to Art. 12 (2). In those cases in which the identity of the person concerned or inquirer is not completely clear, it is advisable to request a copy of the ID or a similar type of identification. Such an assessment will have to be carried out on a case-by-case basis (as above, margin nos. 75 to 77).<br />
Down to business:<br />
Legal relationships between an association and its members are of a private law nature. The prevailing view is that association membership is terminated by a unilateral declaration of resignation (1 Ob 176 / 98h mwN).<br />
According to the findings, the BF or its branch union XXXX already took action after a letter from the MB containing his name and address, his membership number and his own signature, to the effect that he noted the withdrawal of the MB from the union, thus the termination took the necessary steps towards membership. Already from this action, with which the BF accepted the termination of the legal relationship with the BF, it follows that the BF had no concrete doubts about the identity of the intervener (acting in writing), since it cannot be assumed that in this case he would terminate the membership without would have accepted more.<br />
The BF argues that the deletion of data due to its finality is of greater significance than the termination of membership, which is reversible. The comparative assessment of the scope of these two circumstances can, however, be left open: A honest recipient of the declaration can be expected to either doubt the identity of the declaring party with regard to legally relevant circumstances or not. Since the BF had no doubts about the identity of the MB with regard to the withdrawal from the association, he cannot raise such (concrete) doubts with regard to the MB's declaration, insofar as this concerns aspects of data protection law.<br />
The BF rightly points out that union membership is a sensitive date. There are no doubts about the justification of the data processing by the BF with regard to data from the MB in the past due to the express consent of the person concerned (the MB) at the time. Regardless of whether the MB data still stored at the BF is qualified as such about union membership and thus sensitive data (Art. 9) or other data (Art. 6), the BF has repeatedly claimed that there are several legal bases for Storage of data from former members when membership no longer exists. However, these allegations were not made concrete (witness Mag. XXXX, pages 4 and 5). According to the BF's explicit procedural point of view of deleting the MB's data after submitting proof of identity, it follows that the BF itself assumes that the reason for processing the MB's data can only be its consent. Other reasons for justification within the meaning of Article 6 (1) b to f or Article 9 (2) b to j need not be dealt with. This means that Article 17 (1) (b) is relevant for deletion.<br />
The BF's argumentation is not stringent if the BF, as the person responsible, accepts a declaration by a member that leads to termination of membership in the absence of any doubts about the identity of the declaring party, on the other hand the consequence of termination of membership of a no longer given justification for Processing of data is not implemented due to doubts about the identity of the declaring party. The BF cannot gain anything in this context from the sensitivity of the trade union data, because it protects against unauthorized processing.<br />
As stated, according to the current legal situation and the relief requirement of Art. 12 Para. 2 GDPR, an individual examination must be carried out. A refusal to act on the basis of an application in accordance with Articles 15 to 22 can only be successful if the person responsible demonstrates credibly that he is unable to identify the person concerned. In view of the evidence presented above and the fact that the BF very well identified the MB within the framework of the acceptance of the termination, the latter was unable to make such a case-related credible.<br />
On the other arguments in the complaint:<br />
In the course of the oral hearing, it emerged that - as stated - no concrete doubts arose due to the signature of the officers of the BF. In this case, it cannot be assumed that the termination of membership would have been accepted. If the BF refers to the consequences of the irretrievable loss of data in the event of deletion, it must be pointed out again that he was unable to make the lack of identifiability of the MB credible. In its letter of 11.07.2019, the MB repeated its request for deletion. This declaration was made after reference to the possible negative consequences in this regard with a letter from the BF dated June 17, 2019.<br />
Whether the sending of an official identification document is a "comparatively harmless requirement" for the person concerned cannot be assessed here: The BF must again be referred to the legal situation in accordance with Art. 12 (2), according to which a refusal to act can only be justified if if it is made credible that the data subject cannot be identified.<br />
If the BF, under the aspect of Art. 32 GDPR, points out that an identity check must be carried out before deletion is carried out in order to maintain data accuracy and avoid unauthorized disclosure or unauthorized destruction of the data, Art. 32 is not applicable in the present case Relevant: Art. 32 regulates the obligations in connection with the level of protection of stored data at the processor. The question of further processing or deletion as well as the upstream question of which requirements are placed on the identity check for corresponding applications is based on the aforementioned regulations.<br />
Overall, the complaint is therefore unsuccessful even after the facts have been supplemented in the context of the oral hearing requested.<br />
The statement of the inadmissibility of the revision is based on the fact that individual assessments had to be made on the basis of Article 12 (2) GDPR, so that no legal question of any significance beyond the individual case had to be resolved. The requirements for the identification of a deletion applicant can typically only be assessed on a case-by-case basis with reference to the specific request for deletion and the knowledge of the person called about the deletion applicant.<br />
<br />
<br />
European Case Law Identifier<br />
ECLI: AT: BVWG: 2021: W274.2237071.1.00<br />
<br />
<br />
</pre></div>JShttps://gdprhub.eu/index.php?title=BVwG_-_W274_2237071-1&diff=20185BVwG - W274 2237071-12021-09-29T08:04:03Z<p>JS: Created page with "{{COURTdecisionBOX |Jurisdiction=Austria |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=BVwG |Court_With_Country=BVwG (Austria) |Case_Number_Name=W274 22370..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=BVwG<br />
|Court_With_Country=BVwG (Austria)<br />
<br />
|Case_Number_Name=W274 2237071-1<br />
|ECLI=ECLI:AT:BVWG:2021:W274.2237071.1.00<br />
<br />
|Original_Source_Name_1=RIS<br />
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=1e160388-0af9-477f-89b7-e5e6c80b2e83&Position=1&SkipToDocumentPage=True&Abfrage=Bvwg&Entscheidungsart=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=&BisDatum=&Norm=DSGVO&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=BVWGT_20210621_W274_2237071_1_00<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=21.06.2021<br />
|Date_Published=22.09.2021<br />
|Year=2021<br />
<br />
|GDPR_Article_1=Article 12(2) GDPR<br />
|GDPR_Article_Link_1=Article 12 GDPR#2<br />
|GDPR_Article_2=Article 12(6) GDPR<br />
|GDPR_Article_Link_2=Article 12 GDPR#6<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The Federal Administrative Court of Austria (BVwG) decided that a union which terminates a membership of a data subject also needs to comply with the data subjects request for erasure without additional proof for identification.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
After multiple years as a member of a union the data subject decided to quit and sent the union a letter asking for the termination of the membership and the deletion of personal data. Among other information the letter contained the membership number and the handwritten signature of the data subject.<br />
<br />
The union immediately cancelled the membership of the data subject. In terms of the erasure request, however, the union further asked for a copy of the ID of the data subject in order to progress with the deletion. Although the name and membership number were known to the union, they could not verify that also the signature on the letter was from the data subject.<br />
<br />
The union argued that although the data subject stated to be known to the union due to their long membership, the size of the union with over 1.2 million members and different administrative responsibilities did not constitute a personal relationship with the data subject. Moreover, the consequences of the data deletion would be severe compared to a resignation given that the data was necessary for a later re-entry in the union to continue the data subject’s membership. Therefore, and in accordance with [[Article 12 GDPR#6|Article 12(6) GDPR]] additional measures of identification were required.<br />
<br />
The data subject refused to provide a copy of the ID seeing a contradiction in providing even more data to achieve its deletion. The data subject argued that sending a copy of the ID does not mean any higher degree of reliability or proof of identity since it could be stolen or forged and then be used by another person. According to the GDPR additional information may only be requested if there are reasonable doubts about the identity of the natural person which does not allow for routine identity checks in every case of exercised data subjects' rights.<br />
<br />
<br />
=== Holding ===<br />
The BVwG ruled that the union unjustifiably requested proof of identity of the data subject and had not dealt with the latter's request for deletion. In this regard, it followed a previous position of the Austrian DPA, according to which the union had not informed the data subject as to why there were reasonable doubts regarding their identity. Any further proof of identity therefore did not meet the requirements of [[Article 12 GDPR#6|Article 12(6) GDPR]].<br />
<br />
The Court held that since the union did not doubt the identity of the person with regard to their resignation, it cannot raise such doubts regarding to the deletion of personal data. A bona fide recipient can be either be in doubt with the identity of the declarant or not.<br />
<br />
Any further request for proof of identity contradicts the facilitation requirement of exercising data subjects right pursuant to [[Article 12 GDPR#2|Article 12(2) GDPR]]. The union had therefore violated the data subject's right to erasure by not dealing with the content of the data subject's request for erasure pursuant to [[Article 17 GDPR|Article 17 GDPR]].<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
court<br />
Federal Administrative Court<br />
<br />
<br />
Decision date<br />
June 21, 2021<br />
<br />
<br />
Business number<br />
W274 2237071-1<br />
<br />
<br />
Saying<br />
W274 2237071-1 / 10E<br />
<br />
IN THE NAME OF THE REPUBLIC!<br />
The Federal Administrative Court recognizes through the judge Mag.LUGHOFER as chairman and the expert lay judges Prof. KommR POLLIRER and Mag.PORICS as assessors on the complaint of the XXXX represented by FREIMÜLLER / OBEREDER / PILZ Rechtsanwältin GmbH, Alserstraße 21, 1080 Vienna, against the decision of Data protection authority, Barichgasse 40-42, 1030 Vienna, from October 9th, 2020, GZ: D124.1474 / 0003-DSB / 2019, participant XXXX, represented by Dr. Mag. XXXX, lawyer, Kolingasse 11/15, 1090 Vienna, due to violation of the right to erasure, right after a public hearing:<br />
The complaint will not be followed.<br />
The revision is not permitted according to Art. 133 Para. 4 B-VG.<br />
<br />
<br />
<br />
text<br />
Reasons for the decision:<br />
With a complaint dated October 1, 2019, XXXX (hereinafter: participant, MB) turned to the data protection authority (hereinafter: authority concerned) and claimed that when he terminated his membership in XXXX, he had asked for his personal data to be deleted and for confirmation thereof . In addition, he stated in his letter of July 11, 2019 that he saw no reason to doubt his identity. In the relevant reply from XXXX, doubts about the identity were again reported and he was asked to submit a new copy of his ID.<br />
As a decade-long member of the XXXX, the MB is known from frequent earlier contacts, for example from proceedings at the labor and social court, the granting of legal protection by the XXXX, legal advice, etc. On the occasion of his termination, the XXXX immediately implemented his revocation regarding the authorization to have the membership fee withheld by his pension-paying office. The MB sees a contradiction to the applicable data protection law to have to provide further data in order to be able to obtain a deletion.<br />
At the request of the authority concerned, the XXXX (hereinafter: complainant, BF) - represented by a lawyer - commented on November 5, 2019 as follows:<br />
The XXXX does not have its own legal personality, which is why the BF is responsible for the data applications in question in its sub-union.<br />
In the course of the implementation of the GDPR, the BF adjusted the process organization for the correspondence of deletion requests within the meaning of Art. 17 GDPR. He continues to insist on providing suitable proof of identity before irretrievably deleting membership data and other special categories of personal data in accordance with Art. 9 GDPR.<br />
The BF had a manually signed request for deletion. The XXXX asked the BF to send a copy of an official photo ID in order to be able to comply with the request for deletion. In fact, the XXXX knew a person with the name of the MB, but the XXXX had decided not to comply with a request for deletion without submitting a copy of the ID, as it could not be ruled out that the present signature came from another person. If the person concerned states that the XXXX / XXXX must be known to the XXXX / XXXX as a decade-long member from previous contacts, the size of the organization and the different responsibilities should be pointed out. Even if the data of the MB can be called up through the name or the membership number, nothing can be deduced from the identity of the MB. Membership administration and data deletion take place centrally, the persons involved have no personal relationship with the BF. The BF has 1.2 million members, a personal acquaintance of the responsible persons in the member administration to each individual member is to be excluded.<br />
With regard to "the objection to the suspension of the withholding of the membership fee", it is an internal decision of the association. The consequences of an exit - in which the identity is not checked more closely - appeared to be much smaller than the consequences of data deletion. After leaving, a re-entry with crediting of the previous membership is possible without any problems; data deletion is final. A restoration and crediting of previous memberships would no longer be possible, whereby all benefit claims associated with the duration of the membership expire. In the event of a re-entry after deleting the data, this person would have to start “from scratch”. Against this background, it is justified to forego proof of identity in the event of a mere termination of membership, but to insist on proof of identity in the event of irrevocable data deletion.<br />
Since the question of whether requests for deletion with regard to special categories of personal data must only be complied with after submission of suitable proof of identity does not only concern the BF, but is also of general interest, the BF is requesting advice within the meaning of Art. 57 Para. 1 lit.<br />
The MB had already asked a similar question in proceedings DSB-D123.918 / 0003-DSB / 2019, namely in relation to requests for information. In its decision of August 1, 2019, the authority in question determined that the person responsible could request additional information in accordance with Art. 12 (6) GDPR that was necessary to confirm the identity of the person concerned, if he had reasonable doubts about the identity of the person concerned when the person responsible can assign data in the inventory to the person concerned, but it is unclear whether the applicant is this person concerned. According to the case law of the VwGH, a high degree of reliability with regard to proof of identity is required. The indication of the name and address in connection with the mention of the membership number indicates a certain probability that the request for information is that of the complainant. However, a high degree of reliability cannot be assumed. This decision has become legally binding.<br />
In the opinion of the BF, the principles of this decision can be freely transferred to the present case, which is why the BF has not been obliged to delete data so far. However, the BF is always ready to comply with the request for deletion as soon as the MB has proven his identity beyond any doubt.<br />
In a letter dated November 8, 2019, the authority concerned informed the MB of the results of the investigation and pointed out that it seemed justified for the respondent there (now the BF) to request a copy of a suitable proof of identity in order to assign reasonable doubts about an identity remove. According to the preliminary legal opinion of the authority concerned, the complaint would have to be dismissed.<br />
In a letter dated November 30, 2019, the MB stated that the clerk could be a new tenant or roommate at the address in question, who had found his data and copies of his ID and had now approached the BF "in his name". Even if the writer sends a copy of an official ID card, there is in no way a high degree of reliability with regard to proof of identity from his point of view. An ID card could also have been alienated or forged. Incidentally, in his multiple letters, the BF never substantiated the doubts he harbored about identity. The BF explained that he had adjusted the organization of the process so that when membership data and other special categories of personal data were requested to be deleted, there was a "general" insistence on the submission of proof of identity. For the purposes of the GDPR, however, additional information may only be requested if there are reasonable doubts about the identity of the natural person. This therefore implies a case-by-case examination. Art. 12 GDPR does not aim to ensure that identity checks are routinely provided for every case of the assertion of data subject rights.<br />
Incidentally, according to the legal opinion of the MB, a termination of membership, which has already occurred, also implies the legal obligation to delete data if it is no longer necessary for the purpose for which it was collected. In this regard, it is irrelevant whether a person re-enters "from scratch". Incidentally, in the sense of the case law of the VwGH, a copy of the document is not suitable in order to be able to assume a high degree of reliability with regard to identifiability. It is therefore also inappropriate for the BF to request a copy of the ID in order to remove doubts about the identity. The XXXX sent their letter to the MB dated July 25, 2019 by means of registered RECO as a priority letter, consignment number R0588075870AT. This was delivered and documented against I-proof and signature. At this point in time, XXXX could already assume that proof of identity had been provided. The MB still sees a contradiction to the applicable data protection law to have to provide further additional data.<br />
With the contested decision, the authority in question upheld the complaint and found that the BF had thereby violated the MB's right to erasure by unjustifiably requesting proof of identity from the MB and not dealing with his request for deletion.<br />
The BF is also instructed to comply with the MB's request for deletion within a period of four weeks or to inform the MB of the reasons for not complying with the request for deletion. <br />
The authority in question first established that the MB had been a member of the XXXX for years, which was part of the BF's organization without legal personality. It also determined the content of the letter of the MB to the BF dated May 14, 2019 and that of the BF to the MB dated June 17, 2019. Legally, she then stated that the BF was the person responsible within the meaning of Art 4 Z 7 GDPR.<br />
According to Art. 17 Para. 1 GDPR, every person concerned has the right to request the deletion of their personal data from a person responsible. The right to erasure in accordance with Art. 17 GDPR is one of the rights of the data subject. The modalities for exercising the rights of the data subject are regulated in Art. 12 GDPR. According to Art. 12 (2) GDPR, the person responsible has to make it easier for the data subject to exercise his or her rights. If the person responsible has justified doubts about the identity of the natural person making the application, he can request additional information required to confirm the identity of the person concerned in accordance with Art. 12 (6) GDPR.<br />
The VwGH held on the requirement of proof of identity in relation to the legal situation according to the DSG 2000: The provision of § 26 DSG 2000 has the clearly recognizable purpose of preventing any abuse of the right to information by third parties to obtain information. Without proof of identity, a client may not transmit any data to the information applicant - from whom he can only assume at this moment that he is actually the person concerned - because otherwise he could violate data secrecy in accordance with Section 15 (1) DSG 2000.<br />
Proof of identity must be provided in a form that enables the client to check the identity of the information seeker with the person whose data is the subject of the information. With regard to the objectives of the law and to prevent abuse, a high degree of reliability with regard to proof of identity is required (VwSlg 19.411A / 2016).<br />
These considerations could be transferred to the new legal situation, since nothing has changed in the purpose of the counterpart regulation for establishing identity according to Art. 12 (6) GDPR.<br />
However, the obligation of the data subject to disclose their identity when requesting information has not been incorporated into the GDPR. The request for additional information is only permissible if there are reasonable doubts about the identity of the information seeker. Since both the right to information and the right to deletion are part of the rights of the data subject and therefore Art. 12 GDPR is equally relevant for both rights, the case law cited in this context on the right to information is also applicable to the right to deletion. It follows from this that the general request for the submission of proof of identity is not permissible, but that it always has to be a decision on a case-by-case basis. This also applies if it concerns data of special categories according to Art. 9 GDPR.<br />
The MB had submitted his request for deletion in writing by letter, which he personally signed and in which he had given his membership number in the subject. The termination of the MB had been complied with without further proof of identity. The BF also did not inform the MB why there were reasonable doubts about the identity. In the present case, therefore, it cannot be assumed that there were justified doubts about the identity of the MB within the meaning of Art. 12 (6) GDPR, which is why the further request for proof of identity contradicted the relief requirement under Art. 12 (2) GDPR. The BF therefore violated the MB's right to erasure by not dealing with the content of its request for deletion in accordance with Art. 17 GDPR, thus not complying or not giving the MB any reasons why the request for deletion was not being complied with.<br />
The BF's complaint against this notification is directed against the incomplete determination of the facts and an incorrect legal assessment with the request to rectify the notification and establish that the BF is not responsible for any violation of the rights of the person concerned.<br />
The authority concerned submitted the complaint, including the electronic administrative file, with the application to reject the complaint, to the administrative court on November 19, 2020. Reference is made in full to the contested decision.<br />
In a communication dated December 22nd, 2020, the BF "repeated" his application for an oral hearing, which was made by a witness in the complaint.<br />
With the completion of March 9, 2021, the BF was instructed to disclose within the deadline those person (s) as witness (s) who had doubts as to whether the letter of July 11, 2019 was signed or sent by the MB.<br />
An announcement was not made.<br />
With a - now legal - statement of March 25, 2021, the MB submitted that a comparison of the letter regarding termination or deletion on the one hand and the membership application did not reveal any differences in the names that could arouse justified doubts.<br />
Furthermore, the BF sent the MB a registered letter on July 25, 2019, which the MB received with proof of his identity, which the BF had also become aware of, so that the BF had confirmation of the MB's identity at the latest with the successful delivery in this regard obtain.<br />
With the acceptance of the termination, the membership relationship between the MB and the BF ended. This also meant that the BF's legal interest and thus the right to store the data were no longer applicable. The legal consequences of the termination weigh much more heavily than those of a deletion, since the rights to support of the MB ended with it. The argumentation of the BF would make countless requests for data deletion difficult or delay, because deleting the data in the event of a renewed business relationship could lead to disadvantages for the customer.<br />
On April 22nd, 2021, a public hearing took place before the administrative court, in which the case was discussed and the witness Mag. XXXX was questioned.<br />
In addition, the BF submitted that the delivery of a registered letter was not suitable for establishing an identity, because such a letter could be accepted by anyone living in the same household. The deletion of the data is more important than the mere acceptance of the termination, because a termination wrongly pronounced by a third party is at best reversible. The deletion of data is irrecoverable and the associated claims are lost forever. It concerns sensitive data within the meaning of Art. 9 GDPR, which is why special care is associated with it.<br />
The procedure at issue here is the one generally used by the BF, because deletion is irretrievable. One invokes the legal interest that, in the event of a re-entry, the previous times are taken into account. However, if a termination is accepted without deletion, access to this data will be administratively restricted.<br />
Due to the intervention of the representative of the MB, the doubts about the identity of the MB were in any case dispelled, because the MB representative was obliged for professional reasons to check the identity of his client. There is therefore no longer any doubt. However, the data have not yet been deleted because if the MB were to dismiss the legal protection interests, the BF could be interested in a final legal clarification.<br />
The MB also submitted that if the termination were accepted, the BF's right to data storage would be lost. If the BF were of the opinion that it would have been entitled to such an identity verification procedure, this would have to have taken place before acceptance of the termination of membership.<br />
A possible legal interest in the consideration of past times is a legal interest of the member, but not of the XXXX. Here the data protection officer is referring to a legal interest of the data protection officer.<br />
In any case, there could currently no longer be any legal interest in data storage relating to the MB. The interest in the clarification of a legal question could in no way mean a legitimate interest in the further storage of the data in the situation described by the BFV, according to which the BFV itself now considers the data to be ready for deletion, even according to its strict conception.<br />
The complaint is not justified:<br />
The following facts are established:<br />
The XXXX is a branch union of the BF without its own legal personality.<br />
The MB registered on June 28, 2006 as a member of the branch union of the BF XXXX on a form from the XXXX. There it appears with the data "XXXX, born XXXX, XXXX, department XXXX". The membership registration is signed by hand. "Joined from July 1st, 2006" is filled out.<br />
Attached to the membership registration is an authorization of the MB, directed to the accounting department of XXXX, to transfer the union contribution from its earnings to the XXXX. The MB also signed the declaration that in this context necessary data of the MB will be forwarded to XXXX with automated support (Enclosure ./B).<br />
In a letter sent by post and signed by hand on May 14, 2019, the MB informed the XXXX, stating its membership number, that it was terminating its membership and, in the course of this, requested the deletion of its data:<br />
XXXX.<br />
May 14, 2019.<br />
To XXXX.<br />
Regards:<br />
Termination of membership no. XXXX.<br />
Ladies and gentlemen!<br />
I am canceling my membership at XXXX. At the same time, I revoke the authorization granted to withhold the union contribution from my pension and have it transferred by my pension-paying office.<br />
After termination of my membership, please delete all of my stored personal data in accordance with the General Data Protection Regulation (GDPR) and Data Protection Act (DSG).<br />
Please send me a written confirmation.<br />
Best regards<br />
XXXX "<br />
The signature is illegible.<br />
On May 17th, 2019, the membership administration of XXXX sent a letter to the MB with the following content:<br />
“Dear colleague XXXX!<br />
We take note of your resignation with regret. We will initiate the implementation of your concerns immediately.<br />
With union greetings "<br />
The XXXX informed the BF in a letter dated June 17, 2019 that his termination had been carried out and asked for a copy of his ID card and his membership number to be sent:<br />
The membership number is already listed on the letter of XXXX above the address of the BF:<br />
"XXXX,<br />
Mr. XXXX<br />
06/17/2019<br />
Leaving and deleting data.<br />
Dear colleague XXXX!<br />
We regret that you are leaving the XXXX. However, we immediately complied with your request to note your withdrawal. Since the union must treat member data as particularly sensitive personal data in accordance with the statutory provisions, it is necessary that you clearly identify yourself to implement the deletion request so that we can comply with your request for data deletion.<br />
We therefore ask you to enclose a copy of your ID with your new written request for data deletion and to state your membership number. Only then can we consider your request for deletion as having been made and check its content.<br />
A copy of your ID must therefore be sent together with your data deletion request either via email to datenschutzmanager XXXX or by post to XXXX.<br />
We would like to point out that if data can be deleted, we will no longer be able to credit you for pre-membership periods in the future in the event of a new entry. Any claims that may otherwise arise or exist, such as legal protection or support services, therefore expire without exception.<br />
With the request for information, we remain with union greetings<br />
XXXX<br />
Head of Member Administration<br />
XXXX Head of Organization and Economy. "<br />
On July 11, 2019, the MB sent a letter to XXXX with the following content:<br />
"Subject: renewed request for data deletion - XXXX,<br />
Your letter dated June 17th, 2019.<br />
Ladies and gentlemen!<br />
According to the General Data Protection Regulation, the request for proof of identity in the form of a copy of an ID is no longer provided. This is only possible in exceptional cases, e.g. if there are clear doubts about the identity. In this case, you would have to justify and prove this clear doubt about your identity.<br />
I have sent you my resignation letter, quoting the membership number, handwritten signature and the revocation of the authorization to withhold the union contribution from my pension.<br />
Since this revocation has now also been implemented (the pension-paying office will no longer retain anything for the XXXX), I see no reason to argue against data deletion.<br />
In addition, it is somewhat surprising that, after this implementation, I should now provide you with further personal data in order to be able to comply with my request for deletion.<br />
Sending a copy of your ID card by email, among other things, would have to be viewed critically from a data protection point of view anyway.<br />
Thus, my renewed request for the deletion of all of my personal data in accordance with the General Data Protection Regulation and the Data Protection Act is issued.<br />
Please send me a confirmation that it has been carried out. "<br />
In a letter dated July 25, 2019, the data protection manager of XXXX replied as follows:<br />
"Your letter from 07/11/2019.<br />
Dear Mr. XXXX!<br />
You have requested the deletion of all data stored about you, which we have responded to by asking you to submit an official photo ID to prove your identity. In a letter dated July 11, 2019, you informed us that sending photo ID is not a formal requirement for deletion and that you do not want to send us any ID.<br />
According to the provisions of the GDPR, we are obliged to use all reasonable means to check the identity of the person who is asserting a right to be affected. The standard of care will be higher, the more sensitive the data recorded by a deletion request are.<br />
It is therefore necessary, in those cases in which the identity of (the) data subject is not fully proven, to request a copy of their ID or a similar type of identification, as provided by the data protection authority itself in its templates. We therefore assume that the transmission of a copy of your ID is an appropriate, target-oriented and necessary measure in order to fulfill our obligations and to protect your interests.<br />
You have signed your letter by hand, but we cannot assign the signature to you with a high degree of certainty. Therefore, we must continue to insist on a secure identification of you.<br />
We therefore have to ask you again for a copy of your ID and remain with best regards<br />
Mag. XXXX, Mag. XXXX, data protection manager "<br />
It could not be ascertained that in the course of the processing of this matter, the BF's administrators had concrete doubts at any point that the author of the submissions from May 14, 2019 and July 11, 2019 was not the former member XXXX.<br />
At least since becoming aware of the intervention of the representative of MB Dr. Mag. XXXX, at the latest in the hearing on April 22nd, 2021, the BF no longer has any doubts about the identity of the MB as the author of the letters of May 14th, 2019 and July 11th, 2019.<br />
The BF promptly complied with the MB's resignation request on May 14, 2019. The revocation of the MB vis-à-vis its employer to withhold union fees and transfer them to XXXX has been implemented.<br />
Evidence assessment:<br />
The letters reproduced in the statements are in the file.<br />
The fact that the BF complied with the MB's membership termination promptly was expressly acknowledged in the letter from XXXX dated June 17, 2019. In this context, as well as based on the letter of the MB dated July 11, 2019, which was not opposed by the BF, it is also credible that the MB has revoked the withholding and transfer of the union fees by the employer and these debits were discontinued.<br />
The negative finding in relation to the fact that the BF's administrators had specific doubts that the letters dated May 14, 2019 or July 11, 2019 actually came from the MB, is based on the fact that, despite the BF's submission and an order, corresponding witnesses for the To name the hearing, the only named witness, Mag. XXXX, could not give any information about which organ administrator would have doubts about the identity of the intervener in relation to a signature comparison: "I am aware of the XXXX and departments for signature comparison not known. ”(Protocol from April 22nd, 2021, page 5). In addition, the BF disclosed that it was not concrete doubts about the signature of the letter of the MB, but the lived practice of the BF that was responsible for requesting an identification document from the MB before deleting the data (complaint page 3, last paragraph as well as Testimony of the witness Mag. XXXX, protocol page 6). The argument at the oral hearing that the data had not yet been deleted because the legal protection interest might have been lost if the MB were dismissed, but the BF might be interested in a final legal clarification, shows that there are no concrete doubts the identity of the MB but a legal clarification of the previous general procedure of the BF to delete data only after sending proof of identity, which was the reason for the previously refused deletion by the BF. Ultimately, the fact that the BF already took note of the resignation based on the letter of May 14, 2019 (letters of May 17, 2019 and June 17, 2019) and the request of the MB “complied” with concrete doubts about the identity of the MB because even in the event that the BF assesses the consequences of an exit as lower than those of a final data deletion, in the case of concrete doubts about the identity of the intervener, an implementation of the termination without further clarification of such doubts would not be assumed.<br />
The fact that the BF has had no doubts about the identity of the MB as the author of the letters of 11.07.2019 and 14.05.2019, at least since the oral hearing, is based on the express submissions of the BF during the hearing.<br />
Legally follows:<br />
According to Art. 6 Para. 1 GDPR, the processing is lawful if at least one of the following conditions is met:<br />
a) The person concerned has given their consent to the processing of their personal data for one or more specific purposes.<br />
b) The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures that are carried out at the request of the data subject;<br />
c) The processing is necessary to fulfill a legal obligation to which the person responsible is subject;<br />
d) the processing is necessary to protect the vital interests of the data subject or another natural person;<br />
e) The processing is necessary for the performance of a task that is in the public interest or is carried out in the exercise of official authority that has been assigned to the person responsible;<br />
f) The processing is necessary to safeguard the legitimate interests of the person responsible or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, outweigh this.<br />
According to Art. 9 Para. 1 GDPR, the processing of personal data from which racial and ethnic origin, political opinions, religious or ideological convictions or trade union membership emerge is prohibited.<br />
Paragraph 2 regulates the relevant exceptions, in particular letter a in the case of express consent.<br />
According to Art. 12 Para. 1 GDPR, the person responsible shall take appropriate measures to provide the data subject with all information in accordance with Articles 13 and 14 and all communications in accordance with Art. 15 to 22 and Art. 34 that relate to the processing in a more transparent, understandable and easily accessible form in clear and simple language. The information is transmitted in writing or in another form, possibly also electronically. If requested by the person concerned, the information can be given orally, provided that the identity of the person concerned has been proven in another form.<br />
According to Paragraph 2, the person responsible facilitates the exercise of the data subject's rights according to Articles 15 to 22. In the cases mentioned in Article 11 Paragraph 2, the person responsible may only refuse on the basis of the data subject's request for exercise of their rights to act according to Art. 15 to 22, if he proves credible that he is not able to identify the person concerned.<br />
...<br />
If the person responsible in accordance with Paragraph 6 has justified doubts about the identity of the natural person who makes the application in accordance with Articles 15 to 21, he can request additional information that is necessary to confirm the identity of the person concerned, without prejudice to Article 11 are.<br />
According to Art. 17 Para. 1 GDPR, the person concerned has the right to demand that the person responsible delete personal data concerning them immediately and the person responsible is obliged to delete personal data immediately if one of the following reasons applies:<br />
a) The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.<br />
b) The data subject revokes their consent on which the processing was based in accordance with Article 6 (1) (a) or Article 9 (2) (a) and there is no other legal basis for the processing.<br />
c) The data subject objects to the processing in accordance with Art. 21 Paragraph 1 and there are no overriding legitimate reasons for the processing or the data subject objects in accordance with Art 21 Paragraph 2.<br />
d) The personal data was processed unlawfully;<br />
e) The deletion of personal data is necessary to fulfill a legal obligation under Union law or the law of the member states to which the person responsible is subject.<br />
f) The personal data was collected in relation to information society services offered in accordance with Art 8 Paragraph 1.<br />
According to Paragraph 3, Paragraphs 1 and 2 do not apply if the processing is necessary in the cases of a) to e).<br />
The person responsible must make it easier for the persons affected by data processing to exercise their rights to information, correction, deletion, restriction, data portability and objection. This means that no further hurdles may be set up for the provision of information according to Art. 13 and 14 and notifications must be carried out in accordance with the legal requirements (e.g. missing or limited availability, cost-intensive communication, imprecise contact addresses, content or linguistic requirements are not observed) . If the person responsible cannot (no longer) identify the data subject because the identification is no longer necessary for the processing purpose, the person responsible can refuse to take action. In this case, rights of data subjects can naturally no longer be exercised, unless the data subject provides additional information that enables them to be identified. In these cases, the person responsible must make himself credible that he is not able to identify the person concerned (Illibauer in Knyrim, DatKom, Art. 12 GDPR, margin nos. 71 and 72).<br />
If the person responsible has justified doubts about the identity of the person making an application according to Art. 15-21 (whether an inquiring person is also the authorized person at the same time), he can request additional information that confirms the identity of the person concerned. According to the Austrian GDPR 2000, a form of identity determination that has been tried and tested, namely the obligation of the data subject to disclose his / her identity when requesting information, has not been incorporated into the GDPR. For the person responsible, it is difficult not only to have to determine the identity beyond doubt in advance, but also when there are well-founded doubts and when proof of identity can be requested. For all of this, he is also required to provide evidence. If he does not do this, personal data could have been disclosed in an inadmissible manner. If, for example, he asks for a copy of his ID without justified doubts, he could have made it more difficult to exercise the rights of the data subject and acted contrary to Art. 12 (2). In those cases in which the identity of the person concerned or inquirer is not completely clear, it is advisable to request a copy of the ID or a similar type of identification. Such an assessment will have to be carried out on a case-by-case basis (as above, margin nos. 75 to 77).<br />
Down to business:<br />
Legal relationships between an association and its members are of a private law nature. The prevailing view is that association membership is terminated by a unilateral declaration of resignation (1 Ob 176 / 98h mwN).<br />
According to the findings, the BF or its branch union XXXX already took action after a letter from the MB containing his name and address, his membership number and his own signature, to the effect that he noted the withdrawal of the MB from the union, thus the termination took the necessary steps towards membership. Already from this action, with which the BF accepted the termination of the legal relationship with the BF, it follows that the BF had no concrete doubts about the identity of the intervener (acting in writing), since it cannot be assumed that in this case he would terminate the membership without would have accepted more.<br />
The BF argues that the deletion of data due to its finality is of greater significance than the termination of membership, which is reversible. The comparative assessment of the scope of these two circumstances can, however, be left open: A honest recipient of the declaration can be expected to either doubt the identity of the declaring party with regard to legally relevant circumstances or not. Since the BF had no doubts about the identity of the MB with regard to the withdrawal from the association, he cannot raise such (concrete) doubts with regard to the MB's declaration, insofar as this concerns aspects of data protection law.<br />
The BF rightly points out that union membership is a sensitive date. There are no doubts about the justification of the data processing by the BF with regard to data from the MB in the past due to the express consent of the person concerned (the MB) at the time. Regardless of whether the MB data still stored at the BF is qualified as such about union membership and thus sensitive data (Art. 9) or other data (Art. 6), the BF has repeatedly claimed that there are several legal bases for Storage of data from former members when membership no longer exists. However, these allegations were not made concrete (witness Mag. XXXX, pages 4 and 5). According to the BF's explicit procedural point of view of deleting the MB's data after submitting proof of identity, it follows that the BF itself assumes that the reason for processing the MB's data can only be its consent. Other reasons for justification within the meaning of Article 6 (1) b to f or Article 9 (2) b to j need not be dealt with. This means that Article 17 (1) (b) is relevant for deletion.<br />
The BF's argumentation is not stringent if the BF, as the person responsible, accepts a declaration by a member that leads to termination of membership in the absence of any doubts about the identity of the declaring party, on the other hand the consequence of termination of membership of a no longer given justification for Processing of data is not implemented due to doubts about the identity of the declaring party. The BF cannot gain anything in this context from the sensitivity of the trade union data, because it protects against unauthorized processing.<br />
As stated, according to the current legal situation and the relief requirement of Art. 12 Para. 2 GDPR, an individual examination must be carried out. A refusal to act on the basis of an application in accordance with Articles 15 to 22 can only be successful if the person responsible demonstrates credibly that he is unable to identify the person concerned. In view of the evidence presented above and the fact that the BF very well identified the MB within the framework of the acceptance of the termination, the latter was unable to make such a case-related credible.<br />
On the other arguments in the complaint:<br />
In the course of the oral hearing, it emerged that - as stated - no concrete doubts arose due to the signature of the officers of the BF. In this case, it cannot be assumed that the termination of membership would have been accepted. If the BF refers to the consequences of the irretrievable loss of data in the event of deletion, it must be pointed out again that he was unable to make the lack of identifiability of the MB credible. In its letter of 11.07.2019, the MB repeated its request for deletion. This declaration was made after reference to the possible negative consequences in this regard with a letter from the BF dated June 17, 2019.<br />
Whether the sending of an official identification document is a "comparatively harmless requirement" for the person concerned cannot be assessed here: The BF must again be referred to the legal situation in accordance with Art. 12 (2), according to which a refusal to act can only be justified if if it is made credible that the data subject cannot be identified.<br />
If the BF, under the aspect of Art. 32 GDPR, points out that an identity check must be carried out before deletion is carried out in order to maintain data accuracy and avoid unauthorized disclosure or unauthorized destruction of the data, Art. 32 is not applicable in the present case Relevant: Art. 32 regulates the obligations in connection with the level of protection of stored data at the processor. The question of further processing or deletion as well as the upstream question of which requirements are placed on the identity check for corresponding applications is based on the aforementioned regulations.<br />
Overall, the complaint is therefore unsuccessful even after the facts have been supplemented in the context of the oral hearing requested.<br />
The statement of the inadmissibility of the revision is based on the fact that individual assessments had to be made on the basis of Article 12 (2) GDPR, so that no legal question of any significance beyond the individual case had to be resolved. The requirements for the identification of a deletion applicant can typically only be assessed on a case-by-case basis with reference to the specific request for deletion and the knowledge of the person called about the deletion applicant.<br />
<br />
<br />
European Case Law Identifier<br />
ECLI: AT: BVWG: 2021: W274.2237071.1.00<br />
<br />
<br />
</pre></div>JShttps://gdprhub.eu/index.php?title=OGH_-_6Ob48/21h&diff=20168OGH - 6Ob48/21h2021-09-28T14:37:59Z<p>JS: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=OGH<br />
|Court_With_Country=OGH (Austria)<br />
<br />
|Case_Number_Name=6Ob48/21h<br />
|ECLI=ECLI:AT:OGH0002:2021:0060OB00048.21H.0806.000<br />
<br />
|Original_Source_Name_1=RIS<br />
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=4530863f-3472-44c4-9677-4f6b4edaecdb&Position=1&Abfrage=Justiz&Gericht=&Rechtssatznummer=&Rechtssatz=&Fundstelle=&AenderungenSeit=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=DSGVO&Dokumentnummer=JJT_20210806_OGH0002_0060OB00048_21H0000_000<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=06.08.2021<br />
|Date_Published=22.09.2021<br />
|Year=2021<br />
<br />
|GDPR_Article_1=Article 80 GDPR<br />
|GDPR_Article_Link_1=Article 80 GDPR<br />
<br />
<br />
|National_Law_Name_1=§ 28a KSchG<br />
|National_Law_Link_1=https://www.jusline.at/gesetz/kschg/paragraf/28a<br />
|National_Law_Name_2=§ 29 KSchG<br />
|National_Law_Link_2=https://www.jusline.at/gesetz/kschg/paragraf/29<br />
<br />
|Party_Name_1=Verein für Konsumenten Information (VKI)<br />
|Party_Link_1=https://verbraucherrecht.at/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Pending appeal<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The Austrian Supreme Court (OGH) decided to stop the procedure on a case until the EUCJ has decided on whether the GDPR precludes national legislation that grant consumer organisations the legitimacy to take legal action without a mandate and a violation of the rights of a particular individual.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The plaintiff (the Austrian association Verein für Konsumenten Information) sued the defendant (an online shopping platform operating throughout Austria) over several business practices, terms and conditions they found in violation with consumer protection law and the GDPR. More precisely, the association criticized several non-transparent contractual clauses on interests and creditworthiness checks as well as the defendant making decisions based on classifications by external credit scoring agencies in violation of [[Article 22 GDPR|Article 22 GDPR]].<br />
<br />
The defendant argued that the association had no right to take legal action under applicable data protection law. In this regard, the appealing court already decided that the association lacks the legitimacy to assert data protection violations.<br />
<br />
=== Holding ===<br />
The OGH decided that the previous court failed to take into account that the systematic infringement of [[Article 22 GDPR|Article 22 GDPR]] in connection with consumer credit ratings could in fact allow the association to take legal action under the GDPR. The court decided that the appeal is admissible because the legitimacy of the plaintiffs associations under §§ 28 and 29 of the Austrian Consumer Protection Act (Konsumentenschutzgesetz - KSchG) is not ultimately clarified. The court refers to a parallel case of the plaintiff currently pending at the CJEU as part of an preliminary ruling procedure.<br />
<br />
In this regard, the CJEU has to decide on whether the GDPR precludes national rules from granting associations the power to take legal action against unfair business practices or violations of consumer protection laws without a mandate and irrespective of the violation of specific rights of individual data subjects (see [[OGH - 6Ob77/20x|here]]). Until this decision is delivered by the EUCJ the present procedure is put on hold.<br />
== Comment ==<br />
For further information on the corresponding preliminary reference see [[OGH - 6Ob77/20x|here]].<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
<br />
court<br />
Supreme Court<br />
<br />
<br />
Decision date<br />
08/06/2021<br />
<br />
<br />
Business number<br />
6Ob48 / 21h<br />
<br />
<br />
head<br />
The Supreme Court, as a court of appeal by the Senate President Hon.-Prof. Dr. Gitschthaler as chairman, the court councilors Univ.-Prof. Dr. Kodek and Dr. Nowotny, the court councilor Dr. Faber and Hofrat Mag. Pertmayr as further judges in the case of the plaintiff, Verein für Konsumenteninformation, 1060 Vienna, Linke Wienzeile 18, represented by Kosesnik-Wehrle & Langer Rechtsanwälte KG in Vienna, against the defendant U ***** GmbH , *****, represented by Pressl Endl Heinrich Bamberger Rechtsanwälte GmbH in Salzburg, for omission and publication of the judgment, on the appeals by both parties against the judgment of the Linz Higher Regional Court as the court of appeal of November 26, 2020, GZ 3 R 128 / 20v-15 , with which the judgment of the Salzburg Regional Court of August 14, 2020, GZ 4 Cg 67 / 19w-9, was partially amended, rightly recognized in a closed session and decided:<br />
<br />
<br />
Saying<br />
<br />
The appeal of the defendant, insofar as it is against the cease-and-desist clause 1.1. of the appeal judgment (Clause 1), not given.<br />
Insofar as it is directed against the omission requirement item 2 of the appeal judgment (business practice 1), the appeal of the defendant will be followed and the dismissing decision of the first court (there item 3.1. Of the judgment) will be restored.<br />
With regard to point 4 of the judgment of the appellate court, the proceedings will be interrupted until the decision of the European Court of Justice on the request for a preliminary ruling made by the Supreme Court on November 25, 2020 re 6 Ob 77 / 20x. Once the preliminary ruling has been received, the proceedings will be continued ex officio.<br />
The decision on the request of the plaintiff to authorize it to publish the plaintiff's verdict, as well as the request of the defendant to authorize it to publish the dismissing verdict, are reserved for the final decision.<br />
The decision on the costs of the appeal proceedings is reserved for the final decision.<br />
<br />
<br />
text<br />
Reasons for the decision:<br />
[1] The plaintiff is an association entitled to sue within the meaning of § 29 KSchG.<br />
[2] The defendant is a mail order company operating throughout Austria, which continuously concludes contracts with consumers. It bases its contracts on general terms and conditions, which include the following clauses:<br />
"9. Payment:<br />
What payment options do you have for your order?<br />
9.1. Purchase on invoice:<br />
In the case of purchase on account (payment by bank transfer), the invoice amount is due within 14 days of receipt of the goods.<br />
9.2. Partial payment:<br />
With us, you have the option of making partial payments if you have the appropriate creditworthiness and an order value of up to EUR 4,000.00. You can find more information, in particular about the amount and number of installments, at www.u *****. At / part-payment.<br />
In the case of an advance payment, the amount of the agreed installments is reduced and the total burden is lower. The balance remaining after the advance payment can be paid in partial amounts. For the 1st month after purchase, no installment costs are charged. From the 2nd month onwards, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account settlement, this results in an effective interest rate of 21.7% p.a. By sending you an account statement by post or email, we will inform you about your current account balance on a monthly basis. You are deemed to have approved the account balance if you do not object to it within two months of receipt.<br />
9.3. Credit card:<br />
You can pay with us online by credit card. Simply select credit card under payment method. We accept Mastercard, Visa, Diners Club and Discover (no prepaid credit cards). In addition to the credit card company, the card number and the period of validity, we need the check digit of your credit card. The check digit is a three-digit number on the back of your credit card that ensures payment security on the Internet.<br />
9.4. Advance payment:<br />
We reserve the right to make the delivery of the goods dependent on an advance payment.<br />
9.5. PayPal:<br />
[...] "<br />
[3] Via the link “www.u *****. At / part-payment” you get to an installment calculator. There, the customer can enter the term of the installment payments within a specified range. The maximum term is 48 months, the minimum monthly rate is EUR 10. When you enter the item price and the desired term, the system calculates the installment surcharge, the monthly minimum installment, the amount of the last installment, the final installment price and indicates the effective annual interest rate.<br />
[4] The information on the credit check can be found in the data protection information of the defendant (www.u *****. At / datenschutz), which has the following content in excerpts:<br />
"3.2.2.2. Credit checks:<br />
If you have selected a so-called insecure payment method (purchase on account or installment purchase) when placing an order, the following applies:<br />
U ***** and other mail order companies of the O ***** - Group basically give their customers the opportunity to purchase goods using unsafe payment methods (e.g. purchase on account, purchase on finance).<br />
[...]<br />
Companies that generally allow their customers to use unsafe payment methods have a legitimate interest in protecting themselves as well as possible from the occurrence of payment defaults. This is done, among other things, by checking the creditworthiness of the customer before granting the option of using insecure payment methods. As part of this check, we are entitled to ask U ***** GmbH whether they have received negative credit information about the respective customers from the other mail-order companies of the O ***** Group. Furthermore, we are entitled to transmit negative creditworthiness information on the respective customers to U ***** GmbH, which in turn can provide information to the above-mentioned other mail-order companies of the O ***** Group before these other mail-order companies give the customer the option of using unsafe payment methods.<br />
The creditworthiness information is information about outstanding payment claims and information from which there is a direct risk of payment default (e.g. insolvency, debt counseling, deferral due to insolvency). Before we transmit negative information about outstanding payment claims to U ***** GmbH, the customers concerned are informed of the possibility of transmission on a reminder. We are also entitled to transmit information about extremely atypical order processes (e.g. simultaneous ordering of a large number of goods to the same address using different customer accounts) to U ***** GmbH and to request such information from U ***** GmbH. This is to avoid payment defaults and to protect our customers from misuse of their accounts or their identity.<br />
In cases in which a customer wants to order with an insecure method of payment, we are entitled to use information received as part of the order to calculate a probability of default (internal scoring). The calculation of the failure probability by means of the internal scoring is based on a recognized mathematical statistical procedure. The data used as part of the internal scoring result in particular from a combination of the following data categories (not exhaustive): address data, age, desired payment conditions, order method and product range groups. As part of the internal scoring, only data that the customer has given us is used. On the basis of the named data categories, conclusions can be drawn about the probability of default on payment due to the mathematical statistical procedure used. For example, a certain place of residence of the person placing the order, combined with a certain category of goods, can lead to an increased probability of default and thus a restriction on the payment method. There is no payment type restriction based solely on the place of residence of the person placing the order. In addition, it has been statistically proven, for example, that there is a lower risk of payment default when using a chargeable e-mail provider than is the case when using a free provider. As part of the examination of whether an unsafe method of payment (installment / purchase on account) can be granted, we are also entitled to obtain credit information about you from an external credit agency. We work with the following credit agency C ***** GmbH, *****.<br />
For the purpose of calling up creditworthiness information, the following data is transmitted to the external credit agency: first name, last name, postal address, date of birth and, in the event of default in payment, the outstanding balance. The data mentioned can also be transmitted to C ***** GmbH, ***** for the purpose of personal and address validation and for fraud prevention (see also the following point).<br />
As part of the credit check, we can use an automated process to decide whether you will be given the desired unsecure payment method (installment / purchase on account). For example, when a negative credit report is sent by a credit agency or when an insufficient score is calculated as part of the internal scoring, the desired payment method can be automatically rejected. You can assert the right to us to manually review the automated decision. In addition, you have the right to express your own point of view and the right to contest the decision.<br />
The processing of your data as part of the credit check is based on Article 6 Paragraph 1b GDPR and Article 6 Paragraph 1f GDPR. We basically have a legitimate interest in carrying out a credit check when you select an unsafe payment method (installment / purchase on account). "<br />
[5] Under the heading “Data protection notice” and the text “Information on payment method restrictions: You would like to know why you cannot use all payment methods with us? We will be happy to provide you with information here. ", The customer arrives at a link with the title" Request information ".<br />
[6] Over 90% of the orders placed with the defendant are made online, the remaining 10% by telephone. The average order value is EUR 650.<br />
[7] In the case of an online order, the payment method "purchase on account" is preset. If a customer wants partial payment, he has to change the payment option himself.<br />
[8] In the case of an initial order, the defendant limits the order value to EUR 500 in the case of an installment purchase or purchase on account; this limit is gradually increased for subsequent orders if there have been no defaults in payment.<br />
[9] In the case of a new customer who orders on open account or partial payment, an inquiry is automatically made to the credit agency with the data provided by the customer. If the customer is unknown there, the defendant rejects a business relationship with partial payment or on account and notifies the customer that he would be supplied via credit card or PayPal. If the customer is known, there are three ways of scoring with three different colors. If the color is red, the unsecure payment method is also rejected, if it is yellow, an employee of the defendant checks, and if it is green, the order is accepted. In the case of a yellow scoring, the employee himself inspects the database and decides whether and, if so, under what conditions the order will be released.<br />
[10] If a customer makes use of the option of requesting information, further information is obtained, for example the request for proof of income.<br />
[11] The plaintiff association desires - insofar as it is still the subject of the appeal proceedings - to oblige the defendant to refrain from using the following clauses in general terms and conditions or contract forms in business dealings with consumers:<br />
(Clause 1 = point 1.1. Of the judgment of the court of appeal): "From the second month onwards, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account offsetting, this results in an effective interest rate of 21.7% p.a. "<br />
[12] Furthermore, he seeks to oblige the defendant in accordance with § 28a KSchG to refrain from doing business with consumers in connection with consumer credit relationships,<br />
(Business practice 1 = point 2. of the judgment of the court of appeal): "To agree on partial payment purchases and / or partial payment options with a total credit of at least EUR 200 to pay consumers for goods purchased without checking the creditworthiness of the consumer on the basis of sufficient information, in particular without To obtain information on the income situation and / or financial situation of these consumers; ”as well as<br />
(Business practice 2 = point 4 of the judgment of the appellate court): "to carry out the credit check when lending on the basis of a scoring, without granting the consumer the right to express his own point of view and to contest his classification."<br />
[13] Furthermore, the plaintiff association applied for authorization to publish the judgment.<br />
[14] The defendant requested that the action be dismissed as well as authorization to publish the judgment dismissing the complaint, and, in the event that the action was upheld, the setting of a performance period of at least six months.<br />
[15] The first court granted the cease and desist and publication requests with regard to clauses 1 and 2 without setting a performance deadline and dismissed the further claim and the counter-publication request of the defendant.<br />
[16] The appeals court partially followed the appeals of both parties. It confirmed the admission of the action with regard to clauses 1 and 2, whereby it set a six-month performance period, and changed the judgment of the first court with regard to business practice 1 in the plaintiff's sense, also with a six-month performance period.<br />
[17] It allowed the appeal because it was partly about clauses or business practices that had not yet been assessed by the Supreme Court and that were important for a larger number of consumers.<br />
[18] In their opposing revisions, the parties in dispute request the amendment of the decision of the appellate court in the sense of a complete lodging of the complaint or a dismissal of the complaint, whereby the defendant does not contest the approval of the complaint with regard to the omission of clause 2 (point 1.2. Of the appeal judgment). In the alternative, the defendant files an application for annulment.<br />
[19] The plaintiff requests that the defendant's appeal be dismissed or, in the alternative, that it should not be followed. The defendant requests that the plaintiff's appeal be disregarded.<br />
[20] The revisions of both parties are permissible. The defendant's revision is partly justified.<br />
[21] The submissions of the parties as well as the reasons for the decision of the lower courts are presented when dealing with the disputed clause and the disputed business practices.<br />
<br />
<br />
Legal assessment<br />
[22] A. On the defendant's appeal:<br />
[23] The defendant's revision is permissible because the requirements for the credit check in accordance with Section 7 (1) VKrG require clarification. It is partially justified.<br />
[24] Regarding clause 1: "From the second month, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account offsetting, this results in an effective interest rate of 21.7% p.a. "<br />
[25] The plaintiff complains that the clause is not transparent because it is not pointed out that the defendant derives the right to charge compound interest during the year from the monthly capitalization. The clause is also grossly disadvantageous within the meaning of Section 879 Paragraph 3 ABGB, because the accounting period is shortened to one month in deviation from Section 355 Paragraph 2 UGB. The amount of the effective interest rate is grossly disadvantageous and violates § 934 ABGB. In addition, it is not evident that the effective interest rate results from the compound interest effect.<br />
[26] The defendant denies the claims. There was no lack of transparency because the effective annual interest rate was stated and it was clearly recognizable that the difference to the annual interest rate could only result from the compound interest effect (and not from the inclusion of processing fees or the like).<br />
[27] The lower courts forbade the clause because it violated the transparency requirement of Section 6 (3) KSchG. The creditor of a monetary claim can only demand compound interest according to Section 1000 (2) sentence 1 ABGB if the parties have expressly agreed to this. According to the case law, the agreement of the capitalization of interest during the year is not transparent if the user of the terms and conditions does not point out the resulting compound interest effect. The lack of transparency is also not eliminated by listing the monthly interest rate, the annual interest rate and the effective annual interest rate or by using the rate calculator, because the annual interest rate can also result from other cost factors such as commissions, costs of contract establishment, processing fees, etc., so that the average consumer can choose the difference between the annual interest rate and the effective annual interest rate does not have to infer the agreement of compound interest.<br />
[28] The revision is not justified.<br />
[29] 1.1. According to Section 1000 (2) sentence 1 ABGB, compound interest is due - as the appellate court has already correctly pointed out - only in the case of an "express" agreement between the parties. It is necessary that the compound interest is conditional, for which sufficiently clear conclusive explanations are sufficient (Perner in Schwimann / Kodek, ABGB4 § 1000 Rz 17 and Fn 50; Ertl in Fenyves / Kerschner / Vonkilch, Klang³ § 1000 ABGB Rz 15; Dullinger in Artmann , UGB³ § 355 margin no. 3). The agreement of compound interest in the General Terms and Conditions of the defendant must also meet the requirements of Section 6 (3) KSchG.<br />
[30] 1.2. According to the established case law of the Supreme Court, the reference to an account closing during the year or the reference to the fact that interest is "calculated, capitalized and charged" during the year is not sufficient to make the consumer realize that compound interest should also be charged. Such clauses were therefore regularly judged to be non-transparent within the meaning of Section 6 (3) KSchG (1 Ob 124 / 18v [Clause 17]; 9 Ob 11 / 18k [Clause 6]; 8 Ob 128 / 17g [Clauses 7 and 8]; 10 Ob 31 / 16f [Clause c]; 4 Ob 179 / 02f [Clause Z 38 Paragraph 1]; see RS0117273).<br />
[31] 1.3. The present clause does not expressly provide for an account closing during the year, but rather the "current account settlement" of the partial payment costs, which are specified as 1.65% per month (19.8% p.a.) of the outstanding balance; The effective interest rate of 21.7% p.a. resulting from "current account settlement" is also given.<br />
[32] 2.1. The current account agreement is regulated in Section 355 of the UGB. Section 355 (1) of the Austrian Commercial Code defines the current account agreement as an agreement with an entrepreneur with whom someone has a business relationship, that the mutual claims and services arising from the connection, plus interest, are invoiced and at regular intervals by offsetting and determining the amount for one or the other the other part of the resulting surplus will be compensated. According to Section 355, Paragraph 4, Clause 4 of the Austrian Commercial Code, anyone who is entitled to a surplus when closing the accounts can demand compound interest.<br />
[33] 2.2. If one or more features of the current account defined by law in Section 355 (1) UGB are missing, such as the entrepreneurial status of a part or the permanent business relationship, one speaks of an improper current account agreement to which the current account law can apply analogously (1 Ob 83 / 01i). For example, the analogous application of § 355 UGB was affirmed for the case of an agreement between non-entrepreneurs (1 Ob 83 / 01i; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 4).<br />
[34] 2.3. On the basis of the regulation of § 1000 Paragraph 2 Sentence 1 ABGB, it is assumed when an improper current account relationship is agreed that compound interest is only due if expressly agreed (within the meaning of § 1000 Paragraph 2 Sentence 1 ABGB) (cf. 1 Ob 83 / 01i; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 4; aM Dullinger in Artmann, UGB³ § 355 Rz 3).<br />
[35] 2.4. The current account must be based on a business relationship established for a certain period of time, which means that the repeated conclusion of transactions can be expected (Dullinger in Artmann, UGB³ § 355 Rz 4; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 5) . Whether a single purchase in installments can already meet this requirement (critical for assessing an installment credit as a current account relationship Dullinger in Artmann, UGB³ § 355 Rz 4) or whether the (qualified) business relationship required by § 355 (1) UGB is missing when concluding a single purchase in installments, so that there is at most an "improper" current account relationship does not have to be conclusively assessed in the present case:<br />
[36] 3.1. Because even under the assumption that the agreement of a "current account settlement" in the case of a hire purchase would already be directly subject to § 355 UGB, this would not change the fact that the clause to be assessed here is not clear and understandable for the consumer regarding the accrual of compound interest within the meaning of § 6 Paragraph 3 of the KSchG. For the economically inexperienced average customer of a mail order company, neither the use of the term "current account" nor the indication of the different interest rates results in the fact that a periodic determination of the outstanding invoice amount including capitalization of the "partial payment costs" and their (renewed) Interest takes place. This does not result from the difference between the annual interest rate and the effective annual interest rate disclosed in the clause. The appellate court has already correctly stated that such a difference can also have reasons other than the offsetting of compound interest (Section 510 (3) ZPO). In addition, the duration of the billing period of one month can only be deduced from the specification of a monthly interest rate for the installment costs. The fact that with the regulation of the "current account settlement" in truth only the monthly settlement of compound interest is to be effected is therefore not generally recognizable for the average consumer. Insofar as the revision argues that the effective annual interest rate can only exceed the stated annual interest rate because of the compound interest effect, because no other costs would flow into it, this circumstance is not immediately apparent to the consumer from the disputed clause.<br />
[37] 3.2. If it is further argued in the revision that the financial burden is easily recognizable for the consumer through the indication of the effective annual interest rate and through the instrument of the rate calculator, nothing can be gained from this for the defendant. If the effective agreement of compound interest is missing - due to a violation of the transparency requirement of § 6 Abs 3 KSchG - the defendant is not entitled to the specified effective interest rate and the total amount determined by the installment calculator.<br />
[38] The defendant's appeal against the prohibition of Clause 1 is therefore not justified.<br />
<br />
[39] Regarding business practice 1: The defendant's business practice of agreeing partial payment purchases and / or partial payment options with a total credit of at least EUR 200 to pay for the goods purchased by consumers from her is objected to, without the creditworthiness of the consumer based on sufficient To check information, in particular without obtaining information on the income situation and / or financial situation of these consumers.<br />
[40] The plaintiff sees a systematic violation of the obligation to carry out a credit check according to § 7 VKrG in the fact that the defendant does not collect any information about the consumer's income and other liabilities in the case of installment transactions. In response to the plaintiff's letter of warning, the defendant justified its high interest rate with the fact that no collateral had to be provided for the loans it had granted and no evidence of employment or regular cash inflow had to be provided. The database query and the analysis of previous purchasing behavior did not allow any conclusions to be drawn about income and no prognostic decision as to whether the consumer would be able to meet his payment obligations in full. The database query can be used to obtain information about the consumer's income and assets, but it cannot replace it.<br />
[41] The defendant counters this by saying that obtaining information from a database, specifically by making an inquiry to the specified credit bureau, fulfills the requirements of Section 7 of the VKrG. In any case, the entrepreneur does not have to approach the consumer. The scope of the investigation obligations depends on the individual case and is lower in the case of small goods loans than in the case of typical bank loans. The defendant allows partial payments for purchase prices between EUR 50 and EUR 4,000 with a term of no more than four years; the majority of the consumer loans granted are around the average amount of EUR 650.<br />
[42] The first court dismissed the request for an injunction aimed at the omission of business practice 1.<br />
[43] The appeals court granted the injunction. Legally, it discussed that the lender had to carry out the credit check on the basis of sufficient information. In order to assess the creditworthiness, the current income and liquid funds of the consumer should first be used and compared with the costs of the loan and the current repayment; a database query should only be carried out if this was additionally necessary.<br />
[44] In its appeal, the defendant asserts that there is no provision for prioritizing the procurement of information and that the credit check can be designed flexibly. Consumers' income and financial situation always show certain fluctuations and uncertainties, which have an impact especially in the case of low monthly payments, so that the information to be obtained from the consumer must be higher, the lower the loan amount. In such cases, however, obtaining detailed information is unusual and does not provide a more reliable statement about creditworthiness than the credit information obtained and the observation of ongoing consumer behavior. Obtaining information is therefore sufficient for small goods loans.<br />
[45] The appeal is justified.<br />
[46] 1.1. Anyone who violates a legal requirement or prohibition in business dealings with consumers in connection with consumer credit relationships and thereby affects the general interests of consumers can be sued for an injunction without prejudice to Section 28 (1) KSchG (Section 28a (1) KSchG).<br />
[47] 1.2. Section 28a KSchG extends the scope of representative actions to include illegal business practices by entrepreneurs in business dealings with consumers, limited to the contractual relationships and non-contractual legal relationships specified in Section 28a (1) KSchG (10 Ob 13 / 17k; 7 Ob 168 / 17g; Kathrein / Schoditsch in KBB6 § 28a KSchG margin no.1). The behavior complained of must also be of importance for a large number of contracts or non-contractual legal relationships, which is especially the case for illegal behavior in mass business (RS0121961). This is to effectively prevent any behavior found to be inadmissible under the law that has developed into a practice of the respective entrepreneur (6 Ob 228 / 16x).<br />
[48] 1.3. The right to cease and desist - including that according to § 28a KSchG (cf. 10 Ob 13 / 17k; 4 Ob 179 / 18d [Business Practice 2], etc.) - is substantiated by two elements: an obligation to cease and desist and the risk that this obligation to cease and desist is violated. If one of these elements is missing, there is no right to cease and desist (RS0037660).<br />
[49] 2.1. The subject of the claim for action and the verdict is always only the specific infringing act (RS0037478 [T2, T5]). However, it is permissible to describe the inadmissible behavior in a generalized way and to clarify it by means of "especially" listed individual bans. Even with such a more general version of the injunction, the verdict must cover the core of the infringing act (4 Ob 206 / 19a; 9 Ob 57 / 20b).<br />
[50] The claim is to be understood as it is meant by the plaintiff in conjunction with the claimant's account (RS0037440).<br />
[51] 2.2. The core of the business practice 1 complained of by the plaintiff consists in giving consumers the option of partial payment without obtaining information on income “and / or” assets for the purpose of checking creditworthiness. After the request for a judgment and the submission of the action in its entirety, the plaintiff association seeks a ban that is not restricted to specific groups of cases or the existence of specific circumstances; Rather, he takes the position that the information mentioned must always be obtained for the partial payment transactions offered by the defendant.<br />
[52] The defendant did not claim that it obtained information on the income situation or the assets of its prospective buyers before granting a partial payment option. Only when a consumer requests information about the reasons why he cannot use all payment methods from the defendant (i.e. after rejecting an “unsafe” payment method requested by the consumer) does the defendant request proof of income, for example.<br />
[53] 2.3. It must therefore be examined whether the defendant, by systematically granting consumers the option to pay in installments without obtaining information about their income and / or assets, violates a legal prohibition, specifically § 7 VKrG. The decisive factor is whether the obligation can be derived from Section 7 VKrG to always provide information about the income and / or the assets of the defendant in the case of partial payment transactions, as offered by the defendant, from a credited purchase price of EUR 200 (see Section 4 (1) VKrG) To catch up with prospective buyers.<br />
[54] It should be made clear in this context that the injunction does not simply cover the execution of the credit check without obtaining information about the income and / or assets of the prospective buyers, but only the procedure of granting consumers partial payment options without having obtained such information. The practice of refusing to allow partial payment without obtaining information about the income and / or asset situation is therefore not objected to.<br />
[55] 3.1. According to § 7 VKrG applicable to hire purchase contracts in accordance with § 25 Paragraph 1 VKrG (see Foglar-Deinhardstein in Fenyves / Kerschner / Vonkilch, Klang³ § 25 VKrG margin no. 69), the lender must check the creditworthiness of the consumer using sufficient information before concluding the credit agreement, which he - if necessary - demands from the consumer; if necessary, he must also obtain information from an available database (Section 7 (1) VKrG). If this check reveals considerable doubts about the ability of the consumer to fully fulfill his obligations under the credit agreement, the lender must inform the consumer of these concerns about his creditworthiness (Section 7 (2) VKrG).<br />
[56] With this, the obligation of the lender to assess the creditworthiness of the consumer in accordance with Article 8 Paragraph 1 of the Consumer Credit Directive (Directive 2008/48 / EC on consumer credit agreements) was implemented in Austrian law. According to Article 8 (1) of the Consumer Credit Directive, the member states ensure that, before concluding the credit agreement, the lender assesses the creditworthiness of the consumer on the basis of sufficient information that he may obtain from the consumer and, if necessary, on the basis of information from the database in question. Those Member States that legally oblige lenders to assess creditworthiness on the basis of a query in a corresponding database can retain this requirement.<br />
[57] 3.2. The obligation of the lender to assess the creditworthiness of the consumer in accordance with Article 8 Paragraph 1 of the Consumer Credit Directive is intended to protect consumers from irresponsible granting of credit that exceeds their financial capabilities and can lead to their insolvency (ECJ April 27, 2014, C- 565/12, LCL Le Crédit Lyonnais SA, ECLI: EU: C: 2014: 190, margin no. 42 f). In addition, the credit check prescribed by Union law is intended to serve the general interest in a functioning credit industry in the internal market (Recital 6, 7 Consumer Credit Directive; Pesek in Klang³ § 7 VKrG margin no. 1).<br />
[58] 3.3. According to Section 7 (1) VKrG and Article 8 (1) Consumer Credit Directive, the lender must determine the facts that are relevant for assessing creditworthiness (Pesek in Klang³, Section 7, margin no.27). As a means of information, in Section 7 (1) VKrG as well as in Art 8 Consumer Credit Directive, the gathering of information from the consumer and the gathering of information from an available database are mentioned.<br />
[59] The creditworthiness is not to be understood as the creditworthiness in the banking sense. Rather, it is about the assessment of whether the consumer will probably be able to meet his payment obligations from the loan agreement in full, without being pushed to the edge of his economic existence (ExplanationRV 650 BlgNR 24. GP 17; Pesek in Klang³ § 7 VKrG Rz 6 f; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law [2010] § 7 VKrG Rz 6 f; see Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 4 ff ).<br />
[60] 4.1. What content the information must have in order to be regarded as sufficient within the meaning of Section 7 (1) VKrG is not described in more detail by law.<br />
[61] 4.2. In the literature it is consistently stated that the regular (net) income of the consumer and his other liquid assets must be taken into account in the credit check (Pesek in Klang³ § 7 VKrG margin no.10; Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG margin no 9; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG margin no. 9; Dehn in Apathy / Iro / Koziol, Austrian bank contract law IV² [2012] margin no. 2/54). However, the inclusion of non-liquid assets in the creditworthiness check is disputed (for: Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 9; Pesek in Klang³ § 7 VKrG Rz 12; on the other hand: Wendehorst, What is creditworthiness? In Blaschek / Habersberger , Worthy of a loan? 29 f; Foglar-Deinhardstein, The credit check for consumer credit [2013] margin nos. 237 ff; Weissel, consumer credit: Inquiry obligations of the bank, RdW 2014, 176, 179; ders, The protection provided by § 7 VKrG under civil law: legal beneficence oder Irrweg, ZFR 2012, 208, 210; differentiating [between smaller consumer loans and loans for the creation of housing, which were also covered by § 7 VKrG up to the entry into force of the HIKrG on March 21, 2016] Zöchling-Jud in Wendehorst / Zöchling-Jud , Consumer credit law [2010] § 7 VKrG margin no. 10; Dehn in Apathy / Iro / Koziol, Austrian bank contract law IV² margin no. 2/55). The consumer's income and cash and cash equivalents as well as - depending on the legal opinion represented - other assets are to be compared with the regular burdens of the consumer (Pesek in Klang³ § 7 VKrG Rz 17; Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 10, 12; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG margin no.12).<br />
[62] 4.3. It is agreed that the extent of the lender's duty to investigate depends on the circumstances of the individual case, with regard to the amount of the loan value disbursed, the duration of the loan, the informative value and credibility of the information provided by the consumer as well as the existence or duration and intensity the business relationship between the lender and the consumer is important (Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 14; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG Rz 14; 8 Ob 76 / 16h).<br />
[63] 4.4. In this sense, Leupold / Ramharter argue for small (commodity) loans that the lender's exploration obligations are limited; In this context, they refer to information from databases and reject any further credit check that is incompatible with the goal of efficient markets (Leupold / Ramharter, The violation of the duty to warn of poor creditworthiness under the Consumer Credit Act, ÖBA 2011, 469, 486).<br />
[64] 4.5. The content of the "sufficient" information according to Section 7 (1) VKrG must also be specified depending on the circumstances of the individual case. Only in this way, with the help of the statutory general clause, can the legal obligations for the wide range of consumer loans covered by Section 7 (1) VKrG - which includes financial aid within the meaning of Section 25 (1) VKrG, up to large bank loans - be made possible.<br />
[65] 4.6. This interpretation is in line with the case law of the ECJ on Article 8 (1) of the Consumer Credit Directive.<br />
[66] In the case of CA Consumer Finance SA, the ECJ made it clear that the directive does not conclusively specify the information on the basis of which the lender has to assess the creditworthiness of the consumer, nor does it specify in more detail whether and how this information is to be checked . Rather, the lender has a margin of discretion when it comes to whether the information he has is sufficient to certify the creditworthiness of the loan applicant and whether he has to check this against other criteria. The lender must therefore assess in each case, taking into account the circumstances of the individual case, whether the information available to him by the loan applicant is relevant and sufficient. Whether the information is sufficient can vary depending on the circumstances of the conclusion of the credit agreement, the personal situation of the consumer or the credit volume provided for in the contract (ECJ December 18, 2014, C-449/13, CA Consumer Finance SA, ECLI: EU : C: 2014: 2464, margin no.36 f).<br />
[67] 4.7. The lender is therefore not required to obtain information on the income or financial situation of the consumer or on both aspects in addition to obtaining information from an external credit bureau in the case of small goods loans.<br />
[68] 5.1. According to the findings, the defendant obtains information from an external credit agency before granting partial payment options to new customers and limits the loan amount to EUR 500; for existing customers, it uses any negative credit information available in the group of companies. In addition, she uses the amount of the loan for her decision-making; In addition, there are other factors that are not related to the creditworthiness within the meaning of Section 7 (1) VKrG, such as the residential address.<br />
[69] 5.2. Particularly in the case of the small loans of goods from a loan amount of EUR 200 or more that are covered by the injunction, the consideration of existing negative creditworthiness information, as can be derived from the information available in the group of companies as well as from the information provided by the credit bureau, does not appear to be entirely unsuitable for credit checks. This is also not claimed by the plaintiff association. Especially in the case of very low loan amounts (from EUR 200) it is not evident that additional knowledge of the net income (at least, unless it is associated with a detailed survey of all, even minor financial burdens) necessarily enables a more reliable assessment than the query whether due to existing “negative creditworthiness information”, the collectability of even very small loan amounts must be called into question from the outset. The same considerations apply to the need to identify the consumer's realizable assets.<br />
[70] 5.3. Whether the business practice objected to by the plaintiff association, when granting partial payment options in addition to obtaining information from an external credit agency, not to obtain information about the income and / or asset situation of consumers, violates § 7 VKrG, cannot be answered in general, but depends on the circumstances of the case.<br />
[71] It cannot be ruled out that the partial payment options granted by the defendant exist in which it is necessary to obtain information about the income situation or the financial situation of the consumer or about both. However, the request for an injunction does not focus on more specific cases, but aims to forbid the defendant, in all cases, from agreeing on partial payment purchases or partial payment options with consumers with a total credit of at least EUR 200, without information on the income situation and / or their financial position to catch up.<br />
[72] However, this request is not justified because of the discretion granted to the lender in the credit check. The revision is therefore justified insofar as it is directed against the prohibition of the objected business practice 1. The judgment of the first court had to be restored to this extent.<br />
<br />
[73] B. On the plaintiff's appeal:<br />
[74] The appeal by the plaintiff is permissible because the active legitimation of the plaintiff association according to §§ 28a, 29 KSchG to assert violations of the GDPR has not been conclusively clarified.<br />
[75] Regarding the performance period (Clause 1):<br />
[76] The appellate court set the deadline for the omission of the use and the appeal to the clause 1 because of the necessary organizational measures for the EDP conversion with six months. Such a necessity is understandable in the present case, in which the inadmissible clause also affects the settlement of all ongoing partial payment contracts (see RS0041265 [T12]). The performance deadline set by the court of appeal is therefore not objectionable in the present individual case.<br />
[77] Regarding business practice 2:<br />
[78] The defendant's business practice of carrying out the credit check when lending is based on a scoring without giving the consumer the right to express his own point of view and contest his classification is objected to.<br />
[79] With this request for an injunction, the plaintiff did not object to the "internal scoring" practiced by the defendant, but to the decision based on the classification made by the external credit agency. The procedure violates Art 22 GDPR for reasons explained in detail.<br />
[80] The defendant objected that the plaintiff association was not granted any active legitimation regarding data protection information obligations. The alleged violation of Art 22 GDPR did not exist.<br />
[81] The first court dismissed the claim because the defendant's approach was in accordance with Section 7 VKrG and Article 22 GDPR.<br />
[82] The appellate court confirmed the dismissal of the action on the grounds that the plaintiff association lacks the active legitimation to assert data protection violations.<br />
[83] As a significant legal issue, the appeal claims that the appellate court disregarded the fact that the systematic violation of Art 22 GDPR occurred in connection with consumer credit relationships, so that the collective action according to § 28a KSchG was opened.<br />
[84] 1. In proceedings 6 Ob 77 / 20x, the Supreme Court submitted the following question to the European Court of Justice for a preliminary ruling (RS0133358):<br />
Are the regulations in Chapter VIII, in particular in Art. 80 Paragraphs 1 and 2 and Art. 84 Paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons during processing personal data, on the free movement of data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation, OJ L 119/1 of May 4, 2016, p. 1; hereinafter "GDPR") contrary to national regulations that - in addition to the powers of intervention of the supervisory authorities responsible for monitoring and enforcement of the regulation and the legal protection options of the data subjects - on the one hand, to grant competitors and, on the other hand, the authority to associations, institutions and chambers authorized under national law, regardless of the violation of specific rights of individual data subjects, because of violations of the GDPR and without the instruction of a person concerned against the infringer by way of an action before the civil courts under the Ges Prohibition of engaging in unfair business practices or violating consumer protection law or prohibiting the use of ineffective general terms and conditions?<br />
[85] 2.1. The plaintiff in the present proceedings is the same association authorized to take legal action under § 29 KSchG who intervenes on 6 Ob 77 / 20x - there based on § 28 KSchG. In the present proceedings, based on § 28a KSchG, he seeks the omission of a business practice used by the defendant in connection with consumer credit relationships, which violates the GDPR.<br />
[86] 2.2. The question of whether the plaintiff is legitimized to assert violations of the GDPR by way of a representative action according to § 29 KSchG is also relevant for the decision of the present legal dispute, because the question of whether the Union legislature with the legal protection instruments provided for in the GDPR is possibly a wanted to create a final regulation for the enforcement of data protection violations, also for lawsuits against business practices that are in connection with the legal relationships mentioned in § 28a KSchG, is essential for the decision.<br />
[87] For example, the Supreme Court referred its request for a preliminary ruling on 6 Ob 77 / 20x also to the representative action "from the point of view of a violation of a consumer protection law" - i.e. in accordance with § 28a KSchG - (cf. . 2020, I ZR 186/17 [Rz 47, 57 ff]).<br />
[88] 3. The Supreme Court of Justice has to assume a general effect of the preliminary ruling of the European Court of Justice and to apply this also for other than the immediate case. For reasons of process economy, the present procedure must therefore be interrupted (RS0110583).<br />
<br />
[89] C. Regarding the publication requests:<br />
[90] Because of the interruption of the proceedings with regard to the request for an injunction regarding business practice 2 (violation of the GDPR), the requests for publication made by both parties cannot be conclusively decided. A partial judgment is not appropriate here because further publication after the final judgment is available would entail additional costs that would not be incurred in the case of joint publication (Ciresa, Handbuch der Judgment Publication4 [2017] margin no. 4.28; RS0079937 [T1]).<br />
<br />
[91] D. Decision on costs:<br />
[92] The reservation of costs is based on Section 52 (4) ZPO.<br />
<br />
<br />
European Case Law Identifier<br />
ECLI: AT: OGH0002: 2021: 0060OB00048.21H.0806.000<br />
<br />
<br />
</pre></div>JShttps://gdprhub.eu/index.php?title=OGH_-_6Ob48/21h&diff=20167OGH - 6Ob48/21h2021-09-28T14:25:48Z<p>JS: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=OGH<br />
|Court_With_Country=OGH (Austria)<br />
<br />
|Case_Number_Name=6Ob48/21h<br />
|ECLI=ECLI:AT:OGH0002:2021:0060OB00048.21H.0806.000<br />
<br />
|Original_Source_Name_1=RIS<br />
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=4530863f-3472-44c4-9677-4f6b4edaecdb&Position=1&Abfrage=Justiz&Gericht=&Rechtssatznummer=&Rechtssatz=&Fundstelle=&AenderungenSeit=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=DSGVO&Dokumentnummer=JJT_20210806_OGH0002_0060OB00048_21H0000_000<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=06.08.2021<br />
|Date_Published=22.09.2021<br />
|Year=2021<br />
<br />
|GDPR_Article_1=Article 80 GDPR<br />
|GDPR_Article_Link_1=Article 80 GDPR<br />
<br />
<br />
|National_Law_Name_1=§ 28a KSchG<br />
|National_Law_Link_1=https://www.jusline.at/gesetz/kschg/paragraf/28a<br />
|National_Law_Name_2=§ 29 KSchG<br />
|National_Law_Link_2=https://www.jusline.at/gesetz/kschg/paragraf/29<br />
<br />
|Party_Name_1=Verein für Konsumenten Information (VKI)<br />
|Party_Link_1=https://verbraucherrecht.at/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Pending appeal<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The Austrian Supreme Court (OGH) decided to stop the procedure on a case until the EUCJ has decided on the legitimacy of consumer organisations to take legal action under the GDPR without a mandate and a violation of the rights of a particular individual.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The plaintiff (the Austrian association "Verein für Konsumenten Information") sued the defendant (an online shopping platform operating throughout Austria) over several business practices, terms and conditions they found in violation of consumer protection law and the GDPR. More precise, the association objected to several non-transparent contractual clauses on interests and creditworthiness checks and criticized the defendant making decisions based on classifications made by an external credit scoring agency in violation of [[Article 22 GDPR|Article 22 GDPR]].<br />
<br />
The defendant argued that the association had no right to take legal action under data protection laws. In this regard, already the previous court has decided that the association lacks the legitimacy to assert data protection violations.<br />
<br />
=== Holding ===<br />
The OGH decided that the previous courts failed to take into account that the systematic infringement of [[Article 22 GDPR|Article 22 GDPR]] taking place in connection with consumer credit relationship could in fact allow the association to take legal action under the GDPR.<br />
<br />
The court decided that the appeal is admissible because the legitimacy of the plaintiffs associations to take legal action under §§ 28 and 29 of the Austrian Consumer Protection Act (Konsumentenschutzgesetz - KSchG) is not yet conclusively clarified. The court refers to a similar case of the plaintiff currently pending at the CJEU as part of an preliminary ruling procedure.<br />
<br />
The CJEU has to decide on whether the provisions of the GDPR preclude national regulations from granting associations the power to take action against unfair business practices or violations of consumer protection laws irrespective of the violation of specific rights of individual data subjects and without a mandate (see [[OGH - 6Ob77/20x|here]]). Until this decision is made by the EUCJ the present procedures are paused.<br />
== Comment ==<br />
For further information on the corresponding preliminary reference see [[OGH - 6Ob77/20x|here]].<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
<br />
court<br />
Supreme Court<br />
<br />
<br />
Decision date<br />
08/06/2021<br />
<br />
<br />
Business number<br />
6Ob48 / 21h<br />
<br />
<br />
head<br />
The Supreme Court, as a court of appeal by the Senate President Hon.-Prof. Dr. Gitschthaler as chairman, the court councilors Univ.-Prof. Dr. Kodek and Dr. Nowotny, the court councilor Dr. Faber and Hofrat Mag. Pertmayr as further judges in the case of the plaintiff, Verein für Konsumenteninformation, 1060 Vienna, Linke Wienzeile 18, represented by Kosesnik-Wehrle & Langer Rechtsanwälte KG in Vienna, against the defendant U ***** GmbH , *****, represented by Pressl Endl Heinrich Bamberger Rechtsanwälte GmbH in Salzburg, for omission and publication of the judgment, on the appeals by both parties against the judgment of the Linz Higher Regional Court as the court of appeal of November 26, 2020, GZ 3 R 128 / 20v-15 , with which the judgment of the Salzburg Regional Court of August 14, 2020, GZ 4 Cg 67 / 19w-9, was partially amended, rightly recognized in a closed session and decided:<br />
<br />
<br />
Saying<br />
<br />
The appeal of the defendant, insofar as it is against the cease-and-desist clause 1.1. of the appeal judgment (Clause 1), not given.<br />
Insofar as it is directed against the omission requirement item 2 of the appeal judgment (business practice 1), the appeal of the defendant will be followed and the dismissing decision of the first court (there item 3.1. Of the judgment) will be restored.<br />
With regard to point 4 of the judgment of the appellate court, the proceedings will be interrupted until the decision of the European Court of Justice on the request for a preliminary ruling made by the Supreme Court on November 25, 2020 re 6 Ob 77 / 20x. Once the preliminary ruling has been received, the proceedings will be continued ex officio.<br />
The decision on the request of the plaintiff to authorize it to publish the plaintiff's verdict, as well as the request of the defendant to authorize it to publish the dismissing verdict, are reserved for the final decision.<br />
The decision on the costs of the appeal proceedings is reserved for the final decision.<br />
<br />
<br />
text<br />
Reasons for the decision:<br />
[1] The plaintiff is an association entitled to sue within the meaning of § 29 KSchG.<br />
[2] The defendant is a mail order company operating throughout Austria, which continuously concludes contracts with consumers. It bases its contracts on general terms and conditions, which include the following clauses:<br />
"9. Payment:<br />
What payment options do you have for your order?<br />
9.1. Purchase on invoice:<br />
In the case of purchase on account (payment by bank transfer), the invoice amount is due within 14 days of receipt of the goods.<br />
9.2. Partial payment:<br />
With us, you have the option of making partial payments if you have the appropriate creditworthiness and an order value of up to EUR 4,000.00. You can find more information, in particular about the amount and number of installments, at www.u *****. At / part-payment.<br />
In the case of an advance payment, the amount of the agreed installments is reduced and the total burden is lower. The balance remaining after the advance payment can be paid in partial amounts. For the 1st month after purchase, no installment costs are charged. From the 2nd month onwards, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account settlement, this results in an effective interest rate of 21.7% p.a. By sending you an account statement by post or email, we will inform you about your current account balance on a monthly basis. You are deemed to have approved the account balance if you do not object to it within two months of receipt.<br />
9.3. Credit card:<br />
You can pay with us online by credit card. Simply select credit card under payment method. We accept Mastercard, Visa, Diners Club and Discover (no prepaid credit cards). In addition to the credit card company, the card number and the period of validity, we need the check digit of your credit card. The check digit is a three-digit number on the back of your credit card that ensures payment security on the Internet.<br />
9.4. Advance payment:<br />
We reserve the right to make the delivery of the goods dependent on an advance payment.<br />
9.5. PayPal:<br />
[...] "<br />
[3] Via the link “www.u *****. At / part-payment” you get to an installment calculator. There, the customer can enter the term of the installment payments within a specified range. The maximum term is 48 months, the minimum monthly rate is EUR 10. When you enter the item price and the desired term, the system calculates the installment surcharge, the monthly minimum installment, the amount of the last installment, the final installment price and indicates the effective annual interest rate.<br />
[4] The information on the credit check can be found in the data protection information of the defendant (www.u *****. At / datenschutz), which has the following content in excerpts:<br />
"3.2.2.2. Credit checks:<br />
If you have selected a so-called insecure payment method (purchase on account or installment purchase) when placing an order, the following applies:<br />
U ***** and other mail order companies of the O ***** - Group basically give their customers the opportunity to purchase goods using unsafe payment methods (e.g. purchase on account, purchase on finance).<br />
[...]<br />
Companies that generally allow their customers to use unsafe payment methods have a legitimate interest in protecting themselves as well as possible from the occurrence of payment defaults. This is done, among other things, by checking the creditworthiness of the customer before granting the option of using insecure payment methods. As part of this check, we are entitled to ask U ***** GmbH whether they have received negative credit information about the respective customers from the other mail-order companies of the O ***** Group. Furthermore, we are entitled to transmit negative creditworthiness information on the respective customers to U ***** GmbH, which in turn can provide information to the above-mentioned other mail-order companies of the O ***** Group before these other mail-order companies give the customer the option of using unsafe payment methods.<br />
The creditworthiness information is information about outstanding payment claims and information from which there is a direct risk of payment default (e.g. insolvency, debt counseling, deferral due to insolvency). Before we transmit negative information about outstanding payment claims to U ***** GmbH, the customers concerned are informed of the possibility of transmission on a reminder. We are also entitled to transmit information about extremely atypical order processes (e.g. simultaneous ordering of a large number of goods to the same address using different customer accounts) to U ***** GmbH and to request such information from U ***** GmbH. This is to avoid payment defaults and to protect our customers from misuse of their accounts or their identity.<br />
In cases in which a customer wants to order with an insecure method of payment, we are entitled to use information received as part of the order to calculate a probability of default (internal scoring). The calculation of the failure probability by means of the internal scoring is based on a recognized mathematical statistical procedure. The data used as part of the internal scoring result in particular from a combination of the following data categories (not exhaustive): address data, age, desired payment conditions, order method and product range groups. As part of the internal scoring, only data that the customer has given us is used. On the basis of the named data categories, conclusions can be drawn about the probability of default on payment due to the mathematical statistical procedure used. For example, a certain place of residence of the person placing the order, combined with a certain category of goods, can lead to an increased probability of default and thus a restriction on the payment method. There is no payment type restriction based solely on the place of residence of the person placing the order. In addition, it has been statistically proven, for example, that there is a lower risk of payment default when using a chargeable e-mail provider than is the case when using a free provider. As part of the examination of whether an unsafe method of payment (installment / purchase on account) can be granted, we are also entitled to obtain credit information about you from an external credit agency. We work with the following credit agency C ***** GmbH, *****.<br />
For the purpose of calling up creditworthiness information, the following data is transmitted to the external credit agency: first name, last name, postal address, date of birth and, in the event of default in payment, the outstanding balance. The data mentioned can also be transmitted to C ***** GmbH, ***** for the purpose of personal and address validation and for fraud prevention (see also the following point).<br />
As part of the credit check, we can use an automated process to decide whether you will be given the desired unsecure payment method (installment / purchase on account). For example, when a negative credit report is sent by a credit agency or when an insufficient score is calculated as part of the internal scoring, the desired payment method can be automatically rejected. You can assert the right to us to manually review the automated decision. In addition, you have the right to express your own point of view and the right to contest the decision.<br />
The processing of your data as part of the credit check is based on Article 6 Paragraph 1b GDPR and Article 6 Paragraph 1f GDPR. We basically have a legitimate interest in carrying out a credit check when you select an unsafe payment method (installment / purchase on account). "<br />
[5] Under the heading “Data protection notice” and the text “Information on payment method restrictions: You would like to know why you cannot use all payment methods with us? We will be happy to provide you with information here. ", The customer arrives at a link with the title" Request information ".<br />
[6] Over 90% of the orders placed with the defendant are made online, the remaining 10% by telephone. The average order value is EUR 650.<br />
[7] In the case of an online order, the payment method "purchase on account" is preset. If a customer wants partial payment, he has to change the payment option himself.<br />
[8] In the case of an initial order, the defendant limits the order value to EUR 500 in the case of an installment purchase or purchase on account; this limit is gradually increased for subsequent orders if there have been no defaults in payment.<br />
[9] In the case of a new customer who orders on open account or partial payment, an inquiry is automatically made to the credit agency with the data provided by the customer. If the customer is unknown there, the defendant rejects a business relationship with partial payment or on account and notifies the customer that he would be supplied via credit card or PayPal. If the customer is known, there are three ways of scoring with three different colors. If the color is red, the unsecure payment method is also rejected, if it is yellow, an employee of the defendant checks, and if it is green, the order is accepted. In the case of a yellow scoring, the employee himself inspects the database and decides whether and, if so, under what conditions the order will be released.<br />
[10] If a customer makes use of the option of requesting information, further information is obtained, for example the request for proof of income.<br />
[11] The plaintiff association desires - insofar as it is still the subject of the appeal proceedings - to oblige the defendant to refrain from using the following clauses in general terms and conditions or contract forms in business dealings with consumers:<br />
(Clause 1 = point 1.1. Of the judgment of the court of appeal): "From the second month onwards, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account offsetting, this results in an effective interest rate of 21.7% p.a. "<br />
[12] Furthermore, he seeks to oblige the defendant in accordance with § 28a KSchG to refrain from doing business with consumers in connection with consumer credit relationships,<br />
(Business practice 1 = point 2. of the judgment of the court of appeal): "To agree on partial payment purchases and / or partial payment options with a total credit of at least EUR 200 to pay consumers for goods purchased without checking the creditworthiness of the consumer on the basis of sufficient information, in particular without To obtain information on the income situation and / or financial situation of these consumers; ”as well as<br />
(Business practice 2 = point 4 of the judgment of the appellate court): "to carry out the credit check when lending on the basis of a scoring, without granting the consumer the right to express his own point of view and to contest his classification."<br />
[13] Furthermore, the plaintiff association applied for authorization to publish the judgment.<br />
[14] The defendant requested that the action be dismissed as well as authorization to publish the judgment dismissing the complaint, and, in the event that the action was upheld, the setting of a performance period of at least six months.<br />
[15] The first court granted the cease and desist and publication requests with regard to clauses 1 and 2 without setting a performance deadline and dismissed the further claim and the counter-publication request of the defendant.<br />
[16] The appeals court partially followed the appeals of both parties. It confirmed the admission of the action with regard to clauses 1 and 2, whereby it set a six-month performance period, and changed the judgment of the first court with regard to business practice 1 in the plaintiff's sense, also with a six-month performance period.<br />
[17] It allowed the appeal because it was partly about clauses or business practices that had not yet been assessed by the Supreme Court and that were important for a larger number of consumers.<br />
[18] In their opposing revisions, the parties in dispute request the amendment of the decision of the appellate court in the sense of a complete lodging of the complaint or a dismissal of the complaint, whereby the defendant does not contest the approval of the complaint with regard to the omission of clause 2 (point 1.2. Of the appeal judgment). In the alternative, the defendant files an application for annulment.<br />
[19] The plaintiff requests that the defendant's appeal be dismissed or, in the alternative, that it should not be followed. The defendant requests that the plaintiff's appeal be disregarded.<br />
[20] The revisions of both parties are permissible. The defendant's revision is partly justified.<br />
[21] The submissions of the parties as well as the reasons for the decision of the lower courts are presented when dealing with the disputed clause and the disputed business practices.<br />
<br />
<br />
Legal assessment<br />
[22] A. On the defendant's appeal:<br />
[23] The defendant's revision is permissible because the requirements for the credit check in accordance with Section 7 (1) VKrG require clarification. It is partially justified.<br />
[24] Regarding clause 1: "From the second month, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account offsetting, this results in an effective interest rate of 21.7% p.a. "<br />
[25] The plaintiff complains that the clause is not transparent because it is not pointed out that the defendant derives the right to charge compound interest during the year from the monthly capitalization. The clause is also grossly disadvantageous within the meaning of Section 879 Paragraph 3 ABGB, because the accounting period is shortened to one month in deviation from Section 355 Paragraph 2 UGB. The amount of the effective interest rate is grossly disadvantageous and violates § 934 ABGB. In addition, it is not evident that the effective interest rate results from the compound interest effect.<br />
[26] The defendant denies the claims. There was no lack of transparency because the effective annual interest rate was stated and it was clearly recognizable that the difference to the annual interest rate could only result from the compound interest effect (and not from the inclusion of processing fees or the like).<br />
[27] The lower courts forbade the clause because it violated the transparency requirement of Section 6 (3) KSchG. The creditor of a monetary claim can only demand compound interest according to Section 1000 (2) sentence 1 ABGB if the parties have expressly agreed to this. According to the case law, the agreement of the capitalization of interest during the year is not transparent if the user of the terms and conditions does not point out the resulting compound interest effect. The lack of transparency is also not eliminated by listing the monthly interest rate, the annual interest rate and the effective annual interest rate or by using the rate calculator, because the annual interest rate can also result from other cost factors such as commissions, costs of contract establishment, processing fees, etc., so that the average consumer can choose the difference between the annual interest rate and the effective annual interest rate does not have to infer the agreement of compound interest.<br />
[28] The revision is not justified.<br />
[29] 1.1. According to Section 1000 (2) sentence 1 ABGB, compound interest is due - as the appellate court has already correctly pointed out - only in the case of an "express" agreement between the parties. It is necessary that the compound interest is conditional, for which sufficiently clear conclusive explanations are sufficient (Perner in Schwimann / Kodek, ABGB4 § 1000 Rz 17 and Fn 50; Ertl in Fenyves / Kerschner / Vonkilch, Klang³ § 1000 ABGB Rz 15; Dullinger in Artmann , UGB³ § 355 margin no. 3). The agreement of compound interest in the General Terms and Conditions of the defendant must also meet the requirements of Section 6 (3) KSchG.<br />
[30] 1.2. According to the established case law of the Supreme Court, the reference to an account closing during the year or the reference to the fact that interest is "calculated, capitalized and charged" during the year is not sufficient to make the consumer realize that compound interest should also be charged. Such clauses were therefore regularly judged to be non-transparent within the meaning of Section 6 (3) KSchG (1 Ob 124 / 18v [Clause 17]; 9 Ob 11 / 18k [Clause 6]; 8 Ob 128 / 17g [Clauses 7 and 8]; 10 Ob 31 / 16f [Clause c]; 4 Ob 179 / 02f [Clause Z 38 Paragraph 1]; see RS0117273).<br />
[31] 1.3. The present clause does not expressly provide for an account closing during the year, but rather the "current account settlement" of the partial payment costs, which are specified as 1.65% per month (19.8% p.a.) of the outstanding balance; The effective interest rate of 21.7% p.a. resulting from "current account settlement" is also given.<br />
[32] 2.1. The current account agreement is regulated in Section 355 of the UGB. Section 355 (1) of the Austrian Commercial Code defines the current account agreement as an agreement with an entrepreneur with whom someone has a business relationship, that the mutual claims and services arising from the connection, plus interest, are invoiced and at regular intervals by offsetting and determining the amount for one or the other the other part of the resulting surplus will be compensated. According to Section 355, Paragraph 4, Clause 4 of the Austrian Commercial Code, anyone who is entitled to a surplus when closing the accounts can demand compound interest.<br />
[33] 2.2. If one or more features of the current account defined by law in Section 355 (1) UGB are missing, such as the entrepreneurial status of a part or the permanent business relationship, one speaks of an improper current account agreement to which the current account law can apply analogously (1 Ob 83 / 01i). For example, the analogous application of § 355 UGB was affirmed for the case of an agreement between non-entrepreneurs (1 Ob 83 / 01i; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 4).<br />
[34] 2.3. On the basis of the regulation of § 1000 Paragraph 2 Sentence 1 ABGB, it is assumed when an improper current account relationship is agreed that compound interest is only due if expressly agreed (within the meaning of § 1000 Paragraph 2 Sentence 1 ABGB) (cf. 1 Ob 83 / 01i; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 4; aM Dullinger in Artmann, UGB³ § 355 Rz 3).<br />
[35] 2.4. The current account must be based on a business relationship established for a certain period of time, which means that the repeated conclusion of transactions can be expected (Dullinger in Artmann, UGB³ § 355 Rz 4; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 5) . Whether a single purchase in installments can already meet this requirement (critical for assessing an installment credit as a current account relationship Dullinger in Artmann, UGB³ § 355 Rz 4) or whether the (qualified) business relationship required by § 355 (1) UGB is missing when concluding a single purchase in installments, so that there is at most an "improper" current account relationship does not have to be conclusively assessed in the present case:<br />
[36] 3.1. Because even under the assumption that the agreement of a "current account settlement" in the case of a hire purchase would already be directly subject to § 355 UGB, this would not change the fact that the clause to be assessed here is not clear and understandable for the consumer regarding the accrual of compound interest within the meaning of § 6 Paragraph 3 of the KSchG. For the economically inexperienced average customer of a mail order company, neither the use of the term "current account" nor the indication of the different interest rates results in the fact that a periodic determination of the outstanding invoice amount including capitalization of the "partial payment costs" and their (renewed) Interest takes place. This does not result from the difference between the annual interest rate and the effective annual interest rate disclosed in the clause. The appellate court has already correctly stated that such a difference can also have reasons other than the offsetting of compound interest (Section 510 (3) ZPO). In addition, the duration of the billing period of one month can only be deduced from the specification of a monthly interest rate for the installment costs. The fact that with the regulation of the "current account settlement" in truth only the monthly settlement of compound interest is to be effected is therefore not generally recognizable for the average consumer. Insofar as the revision argues that the effective annual interest rate can only exceed the stated annual interest rate because of the compound interest effect, because no other costs would flow into it, this circumstance is not immediately apparent to the consumer from the disputed clause.<br />
[37] 3.2. If it is further argued in the revision that the financial burden is easily recognizable for the consumer through the indication of the effective annual interest rate and through the instrument of the rate calculator, nothing can be gained from this for the defendant. If the effective agreement of compound interest is missing - due to a violation of the transparency requirement of § 6 Abs 3 KSchG - the defendant is not entitled to the specified effective interest rate and the total amount determined by the installment calculator.<br />
[38] The defendant's appeal against the prohibition of Clause 1 is therefore not justified.<br />
<br />
[39] Regarding business practice 1: The defendant's business practice of agreeing partial payment purchases and / or partial payment options with a total credit of at least EUR 200 to pay for the goods purchased by consumers from her is objected to, without the creditworthiness of the consumer based on sufficient To check information, in particular without obtaining information on the income situation and / or financial situation of these consumers.<br />
[40] The plaintiff sees a systematic violation of the obligation to carry out a credit check according to § 7 VKrG in the fact that the defendant does not collect any information about the consumer's income and other liabilities in the case of installment transactions. In response to the plaintiff's letter of warning, the defendant justified its high interest rate with the fact that no collateral had to be provided for the loans it had granted and no evidence of employment or regular cash inflow had to be provided. The database query and the analysis of previous purchasing behavior did not allow any conclusions to be drawn about income and no prognostic decision as to whether the consumer would be able to meet his payment obligations in full. The database query can be used to obtain information about the consumer's income and assets, but it cannot replace it.<br />
[41] The defendant counters this by saying that obtaining information from a database, specifically by making an inquiry to the specified credit bureau, fulfills the requirements of Section 7 of the VKrG. In any case, the entrepreneur does not have to approach the consumer. The scope of the investigation obligations depends on the individual case and is lower in the case of small goods loans than in the case of typical bank loans. The defendant allows partial payments for purchase prices between EUR 50 and EUR 4,000 with a term of no more than four years; the majority of the consumer loans granted are around the average amount of EUR 650.<br />
[42] The first court dismissed the request for an injunction aimed at the omission of business practice 1.<br />
[43] The appeals court granted the injunction. Legally, it discussed that the lender had to carry out the credit check on the basis of sufficient information. In order to assess the creditworthiness, the current income and liquid funds of the consumer should first be used and compared with the costs of the loan and the current repayment; a database query should only be carried out if this was additionally necessary.<br />
[44] In its appeal, the defendant asserts that there is no provision for prioritizing the procurement of information and that the credit check can be designed flexibly. Consumers' income and financial situation always show certain fluctuations and uncertainties, which have an impact especially in the case of low monthly payments, so that the information to be obtained from the consumer must be higher, the lower the loan amount. In such cases, however, obtaining detailed information is unusual and does not provide a more reliable statement about creditworthiness than the credit information obtained and the observation of ongoing consumer behavior. Obtaining information is therefore sufficient for small goods loans.<br />
[45] The appeal is justified.<br />
[46] 1.1. Anyone who violates a legal requirement or prohibition in business dealings with consumers in connection with consumer credit relationships and thereby affects the general interests of consumers can be sued for an injunction without prejudice to Section 28 (1) KSchG (Section 28a (1) KSchG).<br />
[47] 1.2. Section 28a KSchG extends the scope of representative actions to include illegal business practices by entrepreneurs in business dealings with consumers, limited to the contractual relationships and non-contractual legal relationships specified in Section 28a (1) KSchG (10 Ob 13 / 17k; 7 Ob 168 / 17g; Kathrein / Schoditsch in KBB6 § 28a KSchG margin no.1). The behavior complained of must also be of importance for a large number of contracts or non-contractual legal relationships, which is especially the case for illegal behavior in mass business (RS0121961). This is to effectively prevent any behavior found to be inadmissible under the law that has developed into a practice of the respective entrepreneur (6 Ob 228 / 16x).<br />
[48] 1.3. The right to cease and desist - including that according to § 28a KSchG (cf. 10 Ob 13 / 17k; 4 Ob 179 / 18d [Business Practice 2], etc.) - is substantiated by two elements: an obligation to cease and desist and the risk that this obligation to cease and desist is violated. If one of these elements is missing, there is no right to cease and desist (RS0037660).<br />
[49] 2.1. The subject of the claim for action and the verdict is always only the specific infringing act (RS0037478 [T2, T5]). However, it is permissible to describe the inadmissible behavior in a generalized way and to clarify it by means of "especially" listed individual bans. Even with such a more general version of the injunction, the verdict must cover the core of the infringing act (4 Ob 206 / 19a; 9 Ob 57 / 20b).<br />
[50] The claim is to be understood as it is meant by the plaintiff in conjunction with the claimant's account (RS0037440).<br />
[51] 2.2. The core of the business practice 1 complained of by the plaintiff consists in giving consumers the option of partial payment without obtaining information on income “and / or” assets for the purpose of checking creditworthiness. After the request for a judgment and the submission of the action in its entirety, the plaintiff association seeks a ban that is not restricted to specific groups of cases or the existence of specific circumstances; Rather, he takes the position that the information mentioned must always be obtained for the partial payment transactions offered by the defendant.<br />
[52] The defendant did not claim that it obtained information on the income situation or the assets of its prospective buyers before granting a partial payment option. Only when a consumer requests information about the reasons why he cannot use all payment methods from the defendant (i.e. after rejecting an “unsafe” payment method requested by the consumer) does the defendant request proof of income, for example.<br />
[53] 2.3. It must therefore be examined whether the defendant, by systematically granting consumers the option to pay in installments without obtaining information about their income and / or assets, violates a legal prohibition, specifically § 7 VKrG. The decisive factor is whether the obligation can be derived from Section 7 VKrG to always provide information about the income and / or the assets of the defendant in the case of partial payment transactions, as offered by the defendant, from a credited purchase price of EUR 200 (see Section 4 (1) VKrG) To catch up with prospective buyers.<br />
[54] It should be made clear in this context that the injunction does not simply cover the execution of the credit check without obtaining information about the income and / or assets of the prospective buyers, but only the procedure of granting consumers partial payment options without having obtained such information. The practice of refusing to allow partial payment without obtaining information about the income and / or asset situation is therefore not objected to.<br />
[55] 3.1. According to § 7 VKrG applicable to hire purchase contracts in accordance with § 25 Paragraph 1 VKrG (see Foglar-Deinhardstein in Fenyves / Kerschner / Vonkilch, Klang³ § 25 VKrG margin no. 69), the lender must check the creditworthiness of the consumer using sufficient information before concluding the credit agreement, which he - if necessary - demands from the consumer; if necessary, he must also obtain information from an available database (Section 7 (1) VKrG). If this check reveals considerable doubts about the ability of the consumer to fully fulfill his obligations under the credit agreement, the lender must inform the consumer of these concerns about his creditworthiness (Section 7 (2) VKrG).<br />
[56] With this, the obligation of the lender to assess the creditworthiness of the consumer in accordance with Article 8 Paragraph 1 of the Consumer Credit Directive (Directive 2008/48 / EC on consumer credit agreements) was implemented in Austrian law. According to Article 8 (1) of the Consumer Credit Directive, the member states ensure that, before concluding the credit agreement, the lender assesses the creditworthiness of the consumer on the basis of sufficient information that he may obtain from the consumer and, if necessary, on the basis of information from the database in question. Those Member States that legally oblige lenders to assess creditworthiness on the basis of a query in a corresponding database can retain this requirement.<br />
[57] 3.2. The obligation of the lender to assess the creditworthiness of the consumer in accordance with Article 8 Paragraph 1 of the Consumer Credit Directive is intended to protect consumers from irresponsible granting of credit that exceeds their financial capabilities and can lead to their insolvency (ECJ April 27, 2014, C- 565/12, LCL Le Crédit Lyonnais SA, ECLI: EU: C: 2014: 190, margin no. 42 f). In addition, the credit check prescribed by Union law is intended to serve the general interest in a functioning credit industry in the internal market (Recital 6, 7 Consumer Credit Directive; Pesek in Klang³ § 7 VKrG margin no. 1).<br />
[58] 3.3. According to Section 7 (1) VKrG and Article 8 (1) Consumer Credit Directive, the lender must determine the facts that are relevant for assessing creditworthiness (Pesek in Klang³, Section 7, margin no.27). As a means of information, in Section 7 (1) VKrG as well as in Art 8 Consumer Credit Directive, the gathering of information from the consumer and the gathering of information from an available database are mentioned.<br />
[59] The creditworthiness is not to be understood as the creditworthiness in the banking sense. Rather, it is about the assessment of whether the consumer will probably be able to meet his payment obligations from the loan agreement in full, without being pushed to the edge of his economic existence (ExplanationRV 650 BlgNR 24. GP 17; Pesek in Klang³ § 7 VKrG Rz 6 f; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law [2010] § 7 VKrG Rz 6 f; see Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 4 ff ).<br />
[60] 4.1. What content the information must have in order to be regarded as sufficient within the meaning of Section 7 (1) VKrG is not described in more detail by law.<br />
[61] 4.2. In the literature it is consistently stated that the regular (net) income of the consumer and his other liquid assets must be taken into account in the credit check (Pesek in Klang³ § 7 VKrG margin no.10; Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG margin no 9; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG margin no. 9; Dehn in Apathy / Iro / Koziol, Austrian bank contract law IV² [2012] margin no. 2/54). However, the inclusion of non-liquid assets in the creditworthiness check is disputed (for: Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 9; Pesek in Klang³ § 7 VKrG Rz 12; on the other hand: Wendehorst, What is creditworthiness? In Blaschek / Habersberger , Worthy of a loan? 29 f; Foglar-Deinhardstein, The credit check for consumer credit [2013] margin nos. 237 ff; Weissel, consumer credit: Inquiry obligations of the bank, RdW 2014, 176, 179; ders, The protection provided by § 7 VKrG under civil law: legal beneficence oder Irrweg, ZFR 2012, 208, 210; differentiating [between smaller consumer loans and loans for the creation of housing, which were also covered by § 7 VKrG up to the entry into force of the HIKrG on March 21, 2016] Zöchling-Jud in Wendehorst / Zöchling-Jud , Consumer credit law [2010] § 7 VKrG margin no. 10; Dehn in Apathy / Iro / Koziol, Austrian bank contract law IV² margin no. 2/55). The consumer's income and cash and cash equivalents as well as - depending on the legal opinion represented - other assets are to be compared with the regular burdens of the consumer (Pesek in Klang³ § 7 VKrG Rz 17; Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 10, 12; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG margin no.12).<br />
[62] 4.3. It is agreed that the extent of the lender's duty to investigate depends on the circumstances of the individual case, with regard to the amount of the loan value disbursed, the duration of the loan, the informative value and credibility of the information provided by the consumer as well as the existence or duration and intensity the business relationship between the lender and the consumer is important (Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 14; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG Rz 14; 8 Ob 76 / 16h).<br />
[63] 4.4. In this sense, Leupold / Ramharter argue for small (commodity) loans that the lender's exploration obligations are limited; In this context, they refer to information from databases and reject any further credit check that is incompatible with the goal of efficient markets (Leupold / Ramharter, The violation of the duty to warn of poor creditworthiness under the Consumer Credit Act, ÖBA 2011, 469, 486).<br />
[64] 4.5. The content of the "sufficient" information according to Section 7 (1) VKrG must also be specified depending on the circumstances of the individual case. Only in this way, with the help of the statutory general clause, can the legal obligations for the wide range of consumer loans covered by Section 7 (1) VKrG - which includes financial aid within the meaning of Section 25 (1) VKrG, up to large bank loans - be made possible.<br />
[65] 4.6. This interpretation is in line with the case law of the ECJ on Article 8 (1) of the Consumer Credit Directive.<br />
[66] In the case of CA Consumer Finance SA, the ECJ made it clear that the directive does not conclusively specify the information on the basis of which the lender has to assess the creditworthiness of the consumer, nor does it specify in more detail whether and how this information is to be checked . Rather, the lender has a margin of discretion when it comes to whether the information he has is sufficient to certify the creditworthiness of the loan applicant and whether he has to check this against other criteria. The lender must therefore assess in each case, taking into account the circumstances of the individual case, whether the information available to him by the loan applicant is relevant and sufficient. Whether the information is sufficient can vary depending on the circumstances of the conclusion of the credit agreement, the personal situation of the consumer or the credit volume provided for in the contract (ECJ December 18, 2014, C-449/13, CA Consumer Finance SA, ECLI: EU : C: 2014: 2464, margin no.36 f).<br />
[67] 4.7. The lender is therefore not required to obtain information on the income or financial situation of the consumer or on both aspects in addition to obtaining information from an external credit bureau in the case of small goods loans.<br />
[68] 5.1. According to the findings, the defendant obtains information from an external credit agency before granting partial payment options to new customers and limits the loan amount to EUR 500; for existing customers, it uses any negative credit information available in the group of companies. In addition, she uses the amount of the loan for her decision-making; In addition, there are other factors that are not related to the creditworthiness within the meaning of Section 7 (1) VKrG, such as the residential address.<br />
[69] 5.2. Particularly in the case of the small loans of goods from a loan amount of EUR 200 or more that are covered by the injunction, the consideration of existing negative creditworthiness information, as can be derived from the information available in the group of companies as well as from the information provided by the credit bureau, does not appear to be entirely unsuitable for credit checks. This is also not claimed by the plaintiff association. Especially in the case of very low loan amounts (from EUR 200) it is not evident that additional knowledge of the net income (at least, unless it is associated with a detailed survey of all, even minor financial burdens) necessarily enables a more reliable assessment than the query whether due to existing “negative creditworthiness information”, the collectability of even very small loan amounts must be called into question from the outset. The same considerations apply to the need to identify the consumer's realizable assets.<br />
[70] 5.3. Whether the business practice objected to by the plaintiff association, when granting partial payment options in addition to obtaining information from an external credit agency, not to obtain information about the income and / or asset situation of consumers, violates § 7 VKrG, cannot be answered in general, but depends on the circumstances of the case.<br />
[71] It cannot be ruled out that the partial payment options granted by the defendant exist in which it is necessary to obtain information about the income situation or the financial situation of the consumer or about both. However, the request for an injunction does not focus on more specific cases, but aims to forbid the defendant, in all cases, from agreeing on partial payment purchases or partial payment options with consumers with a total credit of at least EUR 200, without information on the income situation and / or their financial position to catch up.<br />
[72] However, this request is not justified because of the discretion granted to the lender in the credit check. The revision is therefore justified insofar as it is directed against the prohibition of the objected business practice 1. The judgment of the first court had to be restored to this extent.<br />
<br />
[73] B. On the plaintiff's appeal:<br />
[74] The appeal by the plaintiff is permissible because the active legitimation of the plaintiff association according to §§ 28a, 29 KSchG to assert violations of the GDPR has not been conclusively clarified.<br />
[75] Regarding the performance period (Clause 1):<br />
[76] The appellate court set the deadline for the omission of the use and the appeal to the clause 1 because of the necessary organizational measures for the EDP conversion with six months. Such a necessity is understandable in the present case, in which the inadmissible clause also affects the settlement of all ongoing partial payment contracts (see RS0041265 [T12]). The performance deadline set by the court of appeal is therefore not objectionable in the present individual case.<br />
[77] Regarding business practice 2:<br />
[78] The defendant's business practice of carrying out the credit check when lending is based on a scoring without giving the consumer the right to express his own point of view and contest his classification is objected to.<br />
[79] With this request for an injunction, the plaintiff did not object to the "internal scoring" practiced by the defendant, but to the decision based on the classification made by the external credit agency. The procedure violates Art 22 GDPR for reasons explained in detail.<br />
[80] The defendant objected that the plaintiff association was not granted any active legitimation regarding data protection information obligations. The alleged violation of Art 22 GDPR did not exist.<br />
[81] The first court dismissed the claim because the defendant's approach was in accordance with Section 7 VKrG and Article 22 GDPR.<br />
[82] The appellate court confirmed the dismissal of the action on the grounds that the plaintiff association lacks the active legitimation to assert data protection violations.<br />
[83] As a significant legal issue, the appeal claims that the appellate court disregarded the fact that the systematic violation of Art 22 GDPR occurred in connection with consumer credit relationships, so that the collective action according to § 28a KSchG was opened.<br />
[84] 1. In proceedings 6 Ob 77 / 20x, the Supreme Court submitted the following question to the European Court of Justice for a preliminary ruling (RS0133358):<br />
Are the regulations in Chapter VIII, in particular in Art. 80 Paragraphs 1 and 2 and Art. 84 Paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons during processing personal data, on the free movement of data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation, OJ L 119/1 of May 4, 2016, p. 1; hereinafter "GDPR") contrary to national regulations that - in addition to the powers of intervention of the supervisory authorities responsible for monitoring and enforcement of the regulation and the legal protection options of the data subjects - on the one hand, to grant competitors and, on the other hand, the authority to associations, institutions and chambers authorized under national law, regardless of the violation of specific rights of individual data subjects, because of violations of the GDPR and without the instruction of a person concerned against the infringer by way of an action before the civil courts under the Ges Prohibition of engaging in unfair business practices or violating consumer protection law or prohibiting the use of ineffective general terms and conditions?<br />
[85] 2.1. The plaintiff in the present proceedings is the same association authorized to take legal action under § 29 KSchG who intervenes on 6 Ob 77 / 20x - there based on § 28 KSchG. In the present proceedings, based on § 28a KSchG, he seeks the omission of a business practice used by the defendant in connection with consumer credit relationships, which violates the GDPR.<br />
[86] 2.2. The question of whether the plaintiff is legitimized to assert violations of the GDPR by way of a representative action according to § 29 KSchG is also relevant for the decision of the present legal dispute, because the question of whether the Union legislature with the legal protection instruments provided for in the GDPR is possibly a wanted to create a final regulation for the enforcement of data protection violations, also for lawsuits against business practices that are in connection with the legal relationships mentioned in § 28a KSchG, is essential for the decision.<br />
[87] For example, the Supreme Court referred its request for a preliminary ruling on 6 Ob 77 / 20x also to the representative action "from the point of view of a violation of a consumer protection law" - i.e. in accordance with § 28a KSchG - (cf. . 2020, I ZR 186/17 [Rz 47, 57 ff]).<br />
[88] 3. The Supreme Court of Justice has to assume a general effect of the preliminary ruling of the European Court of Justice and to apply this also for other than the immediate case. For reasons of process economy, the present procedure must therefore be interrupted (RS0110583).<br />
<br />
[89] C. Regarding the publication requests:<br />
[90] Because of the interruption of the proceedings with regard to the request for an injunction regarding business practice 2 (violation of the GDPR), the requests for publication made by both parties cannot be conclusively decided. A partial judgment is not appropriate here because further publication after the final judgment is available would entail additional costs that would not be incurred in the case of joint publication (Ciresa, Handbuch der Judgment Publication4 [2017] margin no. 4.28; RS0079937 [T1]).<br />
<br />
[91] D. Decision on costs:<br />
[92] The reservation of costs is based on Section 52 (4) ZPO.<br />
<br />
<br />
European Case Law Identifier<br />
ECLI: AT: OGH0002: 2021: 0060OB00048.21H.0806.000<br />
<br />
<br />
</pre></div>JShttps://gdprhub.eu/index.php?title=OGH_-_6Ob48/21h&diff=20166OGH - 6Ob48/21h2021-09-28T14:25:09Z<p>JS: Created page with "{{COURTdecisionBOX |Jurisdiction=Austria |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=OGH |Court_With_Country=OGH (Austria) |Case_Number_Name=6Ob48/21h |E..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=OGH<br />
|Court_With_Country=OGH (Austria)<br />
<br />
|Case_Number_Name=6Ob48/21h<br />
|ECLI=ECLI:AT:OGH0002:2021:0060OB00048.21H.0806.000<br />
<br />
|Original_Source_Name_1=RIS<br />
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=4530863f-3472-44c4-9677-4f6b4edaecdb&Position=1&Abfrage=Justiz&Gericht=&Rechtssatznummer=&Rechtssatz=&Fundstelle=&AenderungenSeit=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=DSGVO&Dokumentnummer=JJT_20210806_OGH0002_0060OB00048_21H0000_000<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=06.08.2021<br />
|Date_Published=22.09.2021<br />
|Year=2021<br />
<br />
|GDPR_Article_1=Article 80 GDPR<br />
|GDPR_Article_Link_1=Article 80 GDPR<br />
<br />
<br />
|National_Law_Name_1=§ 28a KSchG<br />
|National_Law_Link_1=https://www.jusline.at/gesetz/kschg/paragraf/28a<br />
|National_Law_Name_2=§ 29 KSchG<br />
|National_Law_Link_2=https://www.jusline.at/gesetz/kschg/paragraf/29<br />
<br />
|Party_Name_1=Verein für Konsumenten Information (VKI)<br />
|Party_Link_1=https://verbraucherrecht.at/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Pending appeal<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The Austrian Supreme Court (OGH) decided to stop the procedure on a case until the EUCJ has decided on the legitimacy of consumer organisations to take legal action under the GDPR without a mandate and a violation of the rights of a particular individual.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The plaintiff (the Austrian association "Verein für Konsumenten Information") sued the defendant (an online shopping platform operating throughout Austria) over several business practices, terms and conditions they found in violation of consumer protection law and the GDPR. More precise, the association objected to several non-transparent contractual clauses on interests and creditworthiness checks and criticized the defendant making decisions based on classifications made by an external credit scoring agency in violation of [[Article 22 GDPR|Article 22 GDPR]].<br />
<br />
The defendant argued that the association had no right to take legal action under data protection laws. In this regard, already the previous court has decided that the association lacks the legitimacy to assert data protection violations.<br />
<br />
=== Holding ===<br />
The OGH decided that the previous courts failed to take into account that the systematic infringement of [[Article 22 GDPR|Article 22 GDPR]] taking place in connection with consumer credit relationship could in fact allow the association to take legal action under the GDPR.<br />
<br />
The court decided that the appeal is admissible because the legitimacy of the plaintiffs associations to take legal action under §§ 28 and 29 of the Austrian Consumer Protection Act (Konsumentenschutzgesetz - KSchG) is not yet conclusively clarified. The court refers to a similar case of the plaintiff currently pending at the CJEU as part of an preliminary ruling procedure.<br />
<br />
The CJEU has to decide on whether the provisions of the GDPR preclude national regulations from granting associations the power to take action against unfair business practices or violations of consumer protection laws irrespective of the violation of specific rights of individual data subjects and without a mandate (see here). Until this decision is made by the EUCJ the present procedures are paused.<br />
<br />
<br />
== Comment ==<br />
For further information on the corresponding preliminary reference see here.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
<br />
court<br />
Supreme Court<br />
<br />
<br />
Decision date<br />
08/06/2021<br />
<br />
<br />
Business number<br />
6Ob48 / 21h<br />
<br />
<br />
head<br />
The Supreme Court, as a court of appeal by the Senate President Hon.-Prof. Dr. Gitschthaler as chairman, the court councilors Univ.-Prof. Dr. Kodek and Dr. Nowotny, the court councilor Dr. Faber and Hofrat Mag. Pertmayr as further judges in the case of the plaintiff, Verein für Konsumenteninformation, 1060 Vienna, Linke Wienzeile 18, represented by Kosesnik-Wehrle & Langer Rechtsanwälte KG in Vienna, against the defendant U ***** GmbH , *****, represented by Pressl Endl Heinrich Bamberger Rechtsanwälte GmbH in Salzburg, for omission and publication of the judgment, on the appeals by both parties against the judgment of the Linz Higher Regional Court as the court of appeal of November 26, 2020, GZ 3 R 128 / 20v-15 , with which the judgment of the Salzburg Regional Court of August 14, 2020, GZ 4 Cg 67 / 19w-9, was partially amended, rightly recognized in a closed session and decided:<br />
<br />
<br />
Saying<br />
<br />
The appeal of the defendant, insofar as it is against the cease-and-desist clause 1.1. of the appeal judgment (Clause 1), not given.<br />
Insofar as it is directed against the omission requirement item 2 of the appeal judgment (business practice 1), the appeal of the defendant will be followed and the dismissing decision of the first court (there item 3.1. Of the judgment) will be restored.<br />
With regard to point 4 of the judgment of the appellate court, the proceedings will be interrupted until the decision of the European Court of Justice on the request for a preliminary ruling made by the Supreme Court on November 25, 2020 re 6 Ob 77 / 20x. Once the preliminary ruling has been received, the proceedings will be continued ex officio.<br />
The decision on the request of the plaintiff to authorize it to publish the plaintiff's verdict, as well as the request of the defendant to authorize it to publish the dismissing verdict, are reserved for the final decision.<br />
The decision on the costs of the appeal proceedings is reserved for the final decision.<br />
<br />
<br />
text<br />
Reasons for the decision:<br />
[1] The plaintiff is an association entitled to sue within the meaning of § 29 KSchG.<br />
[2] The defendant is a mail order company operating throughout Austria, which continuously concludes contracts with consumers. It bases its contracts on general terms and conditions, which include the following clauses:<br />
"9. Payment:<br />
What payment options do you have for your order?<br />
9.1. Purchase on invoice:<br />
In the case of purchase on account (payment by bank transfer), the invoice amount is due within 14 days of receipt of the goods.<br />
9.2. Partial payment:<br />
With us, you have the option of making partial payments if you have the appropriate creditworthiness and an order value of up to EUR 4,000.00. You can find more information, in particular about the amount and number of installments, at www.u *****. At / part-payment.<br />
In the case of an advance payment, the amount of the agreed installments is reduced and the total burden is lower. The balance remaining after the advance payment can be paid in partial amounts. For the 1st month after purchase, no installment costs are charged. From the 2nd month onwards, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account settlement, this results in an effective interest rate of 21.7% p.a. By sending you an account statement by post or email, we will inform you about your current account balance on a monthly basis. You are deemed to have approved the account balance if you do not object to it within two months of receipt.<br />
9.3. Credit card:<br />
You can pay with us online by credit card. Simply select credit card under payment method. We accept Mastercard, Visa, Diners Club and Discover (no prepaid credit cards). In addition to the credit card company, the card number and the period of validity, we need the check digit of your credit card. The check digit is a three-digit number on the back of your credit card that ensures payment security on the Internet.<br />
9.4. Advance payment:<br />
We reserve the right to make the delivery of the goods dependent on an advance payment.<br />
9.5. PayPal:<br />
[...] "<br />
[3] Via the link “www.u *****. At / part-payment” you get to an installment calculator. There, the customer can enter the term of the installment payments within a specified range. The maximum term is 48 months, the minimum monthly rate is EUR 10. When you enter the item price and the desired term, the system calculates the installment surcharge, the monthly minimum installment, the amount of the last installment, the final installment price and indicates the effective annual interest rate.<br />
[4] The information on the credit check can be found in the data protection information of the defendant (www.u *****. At / datenschutz), which has the following content in excerpts:<br />
"3.2.2.2. Credit checks:<br />
If you have selected a so-called insecure payment method (purchase on account or installment purchase) when placing an order, the following applies:<br />
U ***** and other mail order companies of the O ***** - Group basically give their customers the opportunity to purchase goods using unsafe payment methods (e.g. purchase on account, purchase on finance).<br />
[...]<br />
Companies that generally allow their customers to use unsafe payment methods have a legitimate interest in protecting themselves as well as possible from the occurrence of payment defaults. This is done, among other things, by checking the creditworthiness of the customer before granting the option of using insecure payment methods. As part of this check, we are entitled to ask U ***** GmbH whether they have received negative credit information about the respective customers from the other mail-order companies of the O ***** Group. Furthermore, we are entitled to transmit negative creditworthiness information on the respective customers to U ***** GmbH, which in turn can provide information to the above-mentioned other mail-order companies of the O ***** Group before these other mail-order companies give the customer the option of using unsafe payment methods.<br />
The creditworthiness information is information about outstanding payment claims and information from which there is a direct risk of payment default (e.g. insolvency, debt counseling, deferral due to insolvency). Before we transmit negative information about outstanding payment claims to U ***** GmbH, the customers concerned are informed of the possibility of transmission on a reminder. We are also entitled to transmit information about extremely atypical order processes (e.g. simultaneous ordering of a large number of goods to the same address using different customer accounts) to U ***** GmbH and to request such information from U ***** GmbH. This is to avoid payment defaults and to protect our customers from misuse of their accounts or their identity.<br />
In cases in which a customer wants to order with an insecure method of payment, we are entitled to use information received as part of the order to calculate a probability of default (internal scoring). The calculation of the failure probability by means of the internal scoring is based on a recognized mathematical statistical procedure. The data used as part of the internal scoring result in particular from a combination of the following data categories (not exhaustive): address data, age, desired payment conditions, order method and product range groups. As part of the internal scoring, only data that the customer has given us is used. On the basis of the named data categories, conclusions can be drawn about the probability of default on payment due to the mathematical statistical procedure used. For example, a certain place of residence of the person placing the order, combined with a certain category of goods, can lead to an increased probability of default and thus a restriction on the payment method. There is no payment type restriction based solely on the place of residence of the person placing the order. In addition, it has been statistically proven, for example, that there is a lower risk of payment default when using a chargeable e-mail provider than is the case when using a free provider. As part of the examination of whether an unsafe method of payment (installment / purchase on account) can be granted, we are also entitled to obtain credit information about you from an external credit agency. We work with the following credit agency C ***** GmbH, *****.<br />
For the purpose of calling up creditworthiness information, the following data is transmitted to the external credit agency: first name, last name, postal address, date of birth and, in the event of default in payment, the outstanding balance. The data mentioned can also be transmitted to C ***** GmbH, ***** for the purpose of personal and address validation and for fraud prevention (see also the following point).<br />
As part of the credit check, we can use an automated process to decide whether you will be given the desired unsecure payment method (installment / purchase on account). For example, when a negative credit report is sent by a credit agency or when an insufficient score is calculated as part of the internal scoring, the desired payment method can be automatically rejected. You can assert the right to us to manually review the automated decision. In addition, you have the right to express your own point of view and the right to contest the decision.<br />
The processing of your data as part of the credit check is based on Article 6 Paragraph 1b GDPR and Article 6 Paragraph 1f GDPR. We basically have a legitimate interest in carrying out a credit check when you select an unsafe payment method (installment / purchase on account). "<br />
[5] Under the heading “Data protection notice” and the text “Information on payment method restrictions: You would like to know why you cannot use all payment methods with us? We will be happy to provide you with information here. ", The customer arrives at a link with the title" Request information ".<br />
[6] Over 90% of the orders placed with the defendant are made online, the remaining 10% by telephone. The average order value is EUR 650.<br />
[7] In the case of an online order, the payment method "purchase on account" is preset. If a customer wants partial payment, he has to change the payment option himself.<br />
[8] In the case of an initial order, the defendant limits the order value to EUR 500 in the case of an installment purchase or purchase on account; this limit is gradually increased for subsequent orders if there have been no defaults in payment.<br />
[9] In the case of a new customer who orders on open account or partial payment, an inquiry is automatically made to the credit agency with the data provided by the customer. If the customer is unknown there, the defendant rejects a business relationship with partial payment or on account and notifies the customer that he would be supplied via credit card or PayPal. If the customer is known, there are three ways of scoring with three different colors. If the color is red, the unsecure payment method is also rejected, if it is yellow, an employee of the defendant checks, and if it is green, the order is accepted. In the case of a yellow scoring, the employee himself inspects the database and decides whether and, if so, under what conditions the order will be released.<br />
[10] If a customer makes use of the option of requesting information, further information is obtained, for example the request for proof of income.<br />
[11] The plaintiff association desires - insofar as it is still the subject of the appeal proceedings - to oblige the defendant to refrain from using the following clauses in general terms and conditions or contract forms in business dealings with consumers:<br />
(Clause 1 = point 1.1. Of the judgment of the court of appeal): "From the second month onwards, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account offsetting, this results in an effective interest rate of 21.7% p.a. "<br />
[12] Furthermore, he seeks to oblige the defendant in accordance with § 28a KSchG to refrain from doing business with consumers in connection with consumer credit relationships,<br />
(Business practice 1 = point 2. of the judgment of the court of appeal): "To agree on partial payment purchases and / or partial payment options with a total credit of at least EUR 200 to pay consumers for goods purchased without checking the creditworthiness of the consumer on the basis of sufficient information, in particular without To obtain information on the income situation and / or financial situation of these consumers; ”as well as<br />
(Business practice 2 = point 4 of the judgment of the appellate court): "to carry out the credit check when lending on the basis of a scoring, without granting the consumer the right to express his own point of view and to contest his classification."<br />
[13] Furthermore, the plaintiff association applied for authorization to publish the judgment.<br />
[14] The defendant requested that the action be dismissed as well as authorization to publish the judgment dismissing the complaint, and, in the event that the action was upheld, the setting of a performance period of at least six months.<br />
[15] The first court granted the cease and desist and publication requests with regard to clauses 1 and 2 without setting a performance deadline and dismissed the further claim and the counter-publication request of the defendant.<br />
[16] The appeals court partially followed the appeals of both parties. It confirmed the admission of the action with regard to clauses 1 and 2, whereby it set a six-month performance period, and changed the judgment of the first court with regard to business practice 1 in the plaintiff's sense, also with a six-month performance period.<br />
[17] It allowed the appeal because it was partly about clauses or business practices that had not yet been assessed by the Supreme Court and that were important for a larger number of consumers.<br />
[18] In their opposing revisions, the parties in dispute request the amendment of the decision of the appellate court in the sense of a complete lodging of the complaint or a dismissal of the complaint, whereby the defendant does not contest the approval of the complaint with regard to the omission of clause 2 (point 1.2. Of the appeal judgment). In the alternative, the defendant files an application for annulment.<br />
[19] The plaintiff requests that the defendant's appeal be dismissed or, in the alternative, that it should not be followed. The defendant requests that the plaintiff's appeal be disregarded.<br />
[20] The revisions of both parties are permissible. The defendant's revision is partly justified.<br />
[21] The submissions of the parties as well as the reasons for the decision of the lower courts are presented when dealing with the disputed clause and the disputed business practices.<br />
<br />
<br />
Legal assessment<br />
[22] A. On the defendant's appeal:<br />
[23] The defendant's revision is permissible because the requirements for the credit check in accordance with Section 7 (1) VKrG require clarification. It is partially justified.<br />
[24] Regarding clause 1: "From the second month, the partial payment costs are offset against the current account and amount to 1.65% per month (19.8% p.a.) of the outstanding balance. With current account offsetting, this results in an effective interest rate of 21.7% p.a. "<br />
[25] The plaintiff complains that the clause is not transparent because it is not pointed out that the defendant derives the right to charge compound interest during the year from the monthly capitalization. The clause is also grossly disadvantageous within the meaning of Section 879 Paragraph 3 ABGB, because the accounting period is shortened to one month in deviation from Section 355 Paragraph 2 UGB. The amount of the effective interest rate is grossly disadvantageous and violates § 934 ABGB. In addition, it is not evident that the effective interest rate results from the compound interest effect.<br />
[26] The defendant denies the claims. There was no lack of transparency because the effective annual interest rate was stated and it was clearly recognizable that the difference to the annual interest rate could only result from the compound interest effect (and not from the inclusion of processing fees or the like).<br />
[27] The lower courts forbade the clause because it violated the transparency requirement of Section 6 (3) KSchG. The creditor of a monetary claim can only demand compound interest according to Section 1000 (2) sentence 1 ABGB if the parties have expressly agreed to this. According to the case law, the agreement of the capitalization of interest during the year is not transparent if the user of the terms and conditions does not point out the resulting compound interest effect. The lack of transparency is also not eliminated by listing the monthly interest rate, the annual interest rate and the effective annual interest rate or by using the rate calculator, because the annual interest rate can also result from other cost factors such as commissions, costs of contract establishment, processing fees, etc., so that the average consumer can choose the difference between the annual interest rate and the effective annual interest rate does not have to infer the agreement of compound interest.<br />
[28] The revision is not justified.<br />
[29] 1.1. According to Section 1000 (2) sentence 1 ABGB, compound interest is due - as the appellate court has already correctly pointed out - only in the case of an "express" agreement between the parties. It is necessary that the compound interest is conditional, for which sufficiently clear conclusive explanations are sufficient (Perner in Schwimann / Kodek, ABGB4 § 1000 Rz 17 and Fn 50; Ertl in Fenyves / Kerschner / Vonkilch, Klang³ § 1000 ABGB Rz 15; Dullinger in Artmann , UGB³ § 355 margin no. 3). The agreement of compound interest in the General Terms and Conditions of the defendant must also meet the requirements of Section 6 (3) KSchG.<br />
[30] 1.2. According to the established case law of the Supreme Court, the reference to an account closing during the year or the reference to the fact that interest is "calculated, capitalized and charged" during the year is not sufficient to make the consumer realize that compound interest should also be charged. Such clauses were therefore regularly judged to be non-transparent within the meaning of Section 6 (3) KSchG (1 Ob 124 / 18v [Clause 17]; 9 Ob 11 / 18k [Clause 6]; 8 Ob 128 / 17g [Clauses 7 and 8]; 10 Ob 31 / 16f [Clause c]; 4 Ob 179 / 02f [Clause Z 38 Paragraph 1]; see RS0117273).<br />
[31] 1.3. The present clause does not expressly provide for an account closing during the year, but rather the "current account settlement" of the partial payment costs, which are specified as 1.65% per month (19.8% p.a.) of the outstanding balance; The effective interest rate of 21.7% p.a. resulting from "current account settlement" is also given.<br />
[32] 2.1. The current account agreement is regulated in Section 355 of the UGB. Section 355 (1) of the Austrian Commercial Code defines the current account agreement as an agreement with an entrepreneur with whom someone has a business relationship, that the mutual claims and services arising from the connection, plus interest, are invoiced and at regular intervals by offsetting and determining the amount for one or the other the other part of the resulting surplus will be compensated. According to Section 355, Paragraph 4, Clause 4 of the Austrian Commercial Code, anyone who is entitled to a surplus when closing the accounts can demand compound interest.<br />
[33] 2.2. If one or more features of the current account defined by law in Section 355 (1) UGB are missing, such as the entrepreneurial status of a part or the permanent business relationship, one speaks of an improper current account agreement to which the current account law can apply analogously (1 Ob 83 / 01i). For example, the analogous application of § 355 UGB was affirmed for the case of an agreement between non-entrepreneurs (1 Ob 83 / 01i; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 4).<br />
[34] 2.3. On the basis of the regulation of § 1000 Paragraph 2 Sentence 1 ABGB, it is assumed when an improper current account relationship is agreed that compound interest is only due if expressly agreed (within the meaning of § 1000 Paragraph 2 Sentence 1 ABGB) (cf. 1 Ob 83 / 01i; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 4; aM Dullinger in Artmann, UGB³ § 355 Rz 3).<br />
[35] 2.4. The current account must be based on a business relationship established for a certain period of time, which means that the repeated conclusion of transactions can be expected (Dullinger in Artmann, UGB³ § 355 Rz 4; W. Schuhmacher in Straube / Ratka / Rauter, UGB I / 34 § 355 Rz 5) . Whether a single purchase in installments can already meet this requirement (critical for assessing an installment credit as a current account relationship Dullinger in Artmann, UGB³ § 355 Rz 4) or whether the (qualified) business relationship required by § 355 (1) UGB is missing when concluding a single purchase in installments, so that there is at most an "improper" current account relationship does not have to be conclusively assessed in the present case:<br />
[36] 3.1. Because even under the assumption that the agreement of a "current account settlement" in the case of a hire purchase would already be directly subject to § 355 UGB, this would not change the fact that the clause to be assessed here is not clear and understandable for the consumer regarding the accrual of compound interest within the meaning of § 6 Paragraph 3 of the KSchG. For the economically inexperienced average customer of a mail order company, neither the use of the term "current account" nor the indication of the different interest rates results in the fact that a periodic determination of the outstanding invoice amount including capitalization of the "partial payment costs" and their (renewed) Interest takes place. This does not result from the difference between the annual interest rate and the effective annual interest rate disclosed in the clause. The appellate court has already correctly stated that such a difference can also have reasons other than the offsetting of compound interest (Section 510 (3) ZPO). In addition, the duration of the billing period of one month can only be deduced from the specification of a monthly interest rate for the installment costs. The fact that with the regulation of the "current account settlement" in truth only the monthly settlement of compound interest is to be effected is therefore not generally recognizable for the average consumer. Insofar as the revision argues that the effective annual interest rate can only exceed the stated annual interest rate because of the compound interest effect, because no other costs would flow into it, this circumstance is not immediately apparent to the consumer from the disputed clause.<br />
[37] 3.2. If it is further argued in the revision that the financial burden is easily recognizable for the consumer through the indication of the effective annual interest rate and through the instrument of the rate calculator, nothing can be gained from this for the defendant. If the effective agreement of compound interest is missing - due to a violation of the transparency requirement of § 6 Abs 3 KSchG - the defendant is not entitled to the specified effective interest rate and the total amount determined by the installment calculator.<br />
[38] The defendant's appeal against the prohibition of Clause 1 is therefore not justified.<br />
<br />
[39] Regarding business practice 1: The defendant's business practice of agreeing partial payment purchases and / or partial payment options with a total credit of at least EUR 200 to pay for the goods purchased by consumers from her is objected to, without the creditworthiness of the consumer based on sufficient To check information, in particular without obtaining information on the income situation and / or financial situation of these consumers.<br />
[40] The plaintiff sees a systematic violation of the obligation to carry out a credit check according to § 7 VKrG in the fact that the defendant does not collect any information about the consumer's income and other liabilities in the case of installment transactions. In response to the plaintiff's letter of warning, the defendant justified its high interest rate with the fact that no collateral had to be provided for the loans it had granted and no evidence of employment or regular cash inflow had to be provided. The database query and the analysis of previous purchasing behavior did not allow any conclusions to be drawn about income and no prognostic decision as to whether the consumer would be able to meet his payment obligations in full. The database query can be used to obtain information about the consumer's income and assets, but it cannot replace it.<br />
[41] The defendant counters this by saying that obtaining information from a database, specifically by making an inquiry to the specified credit bureau, fulfills the requirements of Section 7 of the VKrG. In any case, the entrepreneur does not have to approach the consumer. The scope of the investigation obligations depends on the individual case and is lower in the case of small goods loans than in the case of typical bank loans. The defendant allows partial payments for purchase prices between EUR 50 and EUR 4,000 with a term of no more than four years; the majority of the consumer loans granted are around the average amount of EUR 650.<br />
[42] The first court dismissed the request for an injunction aimed at the omission of business practice 1.<br />
[43] The appeals court granted the injunction. Legally, it discussed that the lender had to carry out the credit check on the basis of sufficient information. In order to assess the creditworthiness, the current income and liquid funds of the consumer should first be used and compared with the costs of the loan and the current repayment; a database query should only be carried out if this was additionally necessary.<br />
[44] In its appeal, the defendant asserts that there is no provision for prioritizing the procurement of information and that the credit check can be designed flexibly. Consumers' income and financial situation always show certain fluctuations and uncertainties, which have an impact especially in the case of low monthly payments, so that the information to be obtained from the consumer must be higher, the lower the loan amount. In such cases, however, obtaining detailed information is unusual and does not provide a more reliable statement about creditworthiness than the credit information obtained and the observation of ongoing consumer behavior. Obtaining information is therefore sufficient for small goods loans.<br />
[45] The appeal is justified.<br />
[46] 1.1. Anyone who violates a legal requirement or prohibition in business dealings with consumers in connection with consumer credit relationships and thereby affects the general interests of consumers can be sued for an injunction without prejudice to Section 28 (1) KSchG (Section 28a (1) KSchG).<br />
[47] 1.2. Section 28a KSchG extends the scope of representative actions to include illegal business practices by entrepreneurs in business dealings with consumers, limited to the contractual relationships and non-contractual legal relationships specified in Section 28a (1) KSchG (10 Ob 13 / 17k; 7 Ob 168 / 17g; Kathrein / Schoditsch in KBB6 § 28a KSchG margin no.1). The behavior complained of must also be of importance for a large number of contracts or non-contractual legal relationships, which is especially the case for illegal behavior in mass business (RS0121961). This is to effectively prevent any behavior found to be inadmissible under the law that has developed into a practice of the respective entrepreneur (6 Ob 228 / 16x).<br />
[48] 1.3. The right to cease and desist - including that according to § 28a KSchG (cf. 10 Ob 13 / 17k; 4 Ob 179 / 18d [Business Practice 2], etc.) - is substantiated by two elements: an obligation to cease and desist and the risk that this obligation to cease and desist is violated. If one of these elements is missing, there is no right to cease and desist (RS0037660).<br />
[49] 2.1. The subject of the claim for action and the verdict is always only the specific infringing act (RS0037478 [T2, T5]). However, it is permissible to describe the inadmissible behavior in a generalized way and to clarify it by means of "especially" listed individual bans. Even with such a more general version of the injunction, the verdict must cover the core of the infringing act (4 Ob 206 / 19a; 9 Ob 57 / 20b).<br />
[50] The claim is to be understood as it is meant by the plaintiff in conjunction with the claimant's account (RS0037440).<br />
[51] 2.2. The core of the business practice 1 complained of by the plaintiff consists in giving consumers the option of partial payment without obtaining information on income “and / or” assets for the purpose of checking creditworthiness. After the request for a judgment and the submission of the action in its entirety, the plaintiff association seeks a ban that is not restricted to specific groups of cases or the existence of specific circumstances; Rather, he takes the position that the information mentioned must always be obtained for the partial payment transactions offered by the defendant.<br />
[52] The defendant did not claim that it obtained information on the income situation or the assets of its prospective buyers before granting a partial payment option. Only when a consumer requests information about the reasons why he cannot use all payment methods from the defendant (i.e. after rejecting an “unsafe” payment method requested by the consumer) does the defendant request proof of income, for example.<br />
[53] 2.3. It must therefore be examined whether the defendant, by systematically granting consumers the option to pay in installments without obtaining information about their income and / or assets, violates a legal prohibition, specifically § 7 VKrG. The decisive factor is whether the obligation can be derived from Section 7 VKrG to always provide information about the income and / or the assets of the defendant in the case of partial payment transactions, as offered by the defendant, from a credited purchase price of EUR 200 (see Section 4 (1) VKrG) To catch up with prospective buyers.<br />
[54] It should be made clear in this context that the injunction does not simply cover the execution of the credit check without obtaining information about the income and / or assets of the prospective buyers, but only the procedure of granting consumers partial payment options without having obtained such information. The practice of refusing to allow partial payment without obtaining information about the income and / or asset situation is therefore not objected to.<br />
[55] 3.1. According to § 7 VKrG applicable to hire purchase contracts in accordance with § 25 Paragraph 1 VKrG (see Foglar-Deinhardstein in Fenyves / Kerschner / Vonkilch, Klang³ § 25 VKrG margin no. 69), the lender must check the creditworthiness of the consumer using sufficient information before concluding the credit agreement, which he - if necessary - demands from the consumer; if necessary, he must also obtain information from an available database (Section 7 (1) VKrG). If this check reveals considerable doubts about the ability of the consumer to fully fulfill his obligations under the credit agreement, the lender must inform the consumer of these concerns about his creditworthiness (Section 7 (2) VKrG).<br />
[56] With this, the obligation of the lender to assess the creditworthiness of the consumer in accordance with Article 8 Paragraph 1 of the Consumer Credit Directive (Directive 2008/48 / EC on consumer credit agreements) was implemented in Austrian law. According to Article 8 (1) of the Consumer Credit Directive, the member states ensure that, before concluding the credit agreement, the lender assesses the creditworthiness of the consumer on the basis of sufficient information that he may obtain from the consumer and, if necessary, on the basis of information from the database in question. Those Member States that legally oblige lenders to assess creditworthiness on the basis of a query in a corresponding database can retain this requirement.<br />
[57] 3.2. The obligation of the lender to assess the creditworthiness of the consumer in accordance with Article 8 Paragraph 1 of the Consumer Credit Directive is intended to protect consumers from irresponsible granting of credit that exceeds their financial capabilities and can lead to their insolvency (ECJ April 27, 2014, C- 565/12, LCL Le Crédit Lyonnais SA, ECLI: EU: C: 2014: 190, margin no. 42 f). In addition, the credit check prescribed by Union law is intended to serve the general interest in a functioning credit industry in the internal market (Recital 6, 7 Consumer Credit Directive; Pesek in Klang³ § 7 VKrG margin no. 1).<br />
[58] 3.3. According to Section 7 (1) VKrG and Article 8 (1) Consumer Credit Directive, the lender must determine the facts that are relevant for assessing creditworthiness (Pesek in Klang³, Section 7, margin no.27). As a means of information, in Section 7 (1) VKrG as well as in Art 8 Consumer Credit Directive, the gathering of information from the consumer and the gathering of information from an available database are mentioned.<br />
[59] The creditworthiness is not to be understood as the creditworthiness in the banking sense. Rather, it is about the assessment of whether the consumer will probably be able to meet his payment obligations from the loan agreement in full, without being pushed to the edge of his economic existence (ExplanationRV 650 BlgNR 24. GP 17; Pesek in Klang³ § 7 VKrG Rz 6 f; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law [2010] § 7 VKrG Rz 6 f; see Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 4 ff ).<br />
[60] 4.1. What content the information must have in order to be regarded as sufficient within the meaning of Section 7 (1) VKrG is not described in more detail by law.<br />
[61] 4.2. In the literature it is consistently stated that the regular (net) income of the consumer and his other liquid assets must be taken into account in the credit check (Pesek in Klang³ § 7 VKrG margin no.10; Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG margin no 9; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG margin no. 9; Dehn in Apathy / Iro / Koziol, Austrian bank contract law IV² [2012] margin no. 2/54). However, the inclusion of non-liquid assets in the creditworthiness check is disputed (for: Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 9; Pesek in Klang³ § 7 VKrG Rz 12; on the other hand: Wendehorst, What is creditworthiness? In Blaschek / Habersberger , Worthy of a loan? 29 f; Foglar-Deinhardstein, The credit check for consumer credit [2013] margin nos. 237 ff; Weissel, consumer credit: Inquiry obligations of the bank, RdW 2014, 176, 179; ders, The protection provided by § 7 VKrG under civil law: legal beneficence oder Irrweg, ZFR 2012, 208, 210; differentiating [between smaller consumer loans and loans for the creation of housing, which were also covered by § 7 VKrG up to the entry into force of the HIKrG on March 21, 2016] Zöchling-Jud in Wendehorst / Zöchling-Jud , Consumer credit law [2010] § 7 VKrG margin no. 10; Dehn in Apathy / Iro / Koziol, Austrian bank contract law IV² margin no. 2/55). The consumer's income and cash and cash equivalents as well as - depending on the legal opinion represented - other assets are to be compared with the regular burdens of the consumer (Pesek in Klang³ § 7 VKrG Rz 17; Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 10, 12; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG margin no.12).<br />
[62] 4.3. It is agreed that the extent of the lender's duty to investigate depends on the circumstances of the individual case, with regard to the amount of the loan value disbursed, the duration of the loan, the informative value and credibility of the information provided by the consumer as well as the existence or duration and intensity the business relationship between the lender and the consumer is important (Heinrich in Schwimann / Kodek, ABGB4 Va § 7 VKrG Rz 14; Zöchling-Jud in Wendehorst / Zöchling-Jud, consumer credit law § 7 VKrG Rz 14; 8 Ob 76 / 16h).<br />
[63] 4.4. In this sense, Leupold / Ramharter argue for small (commodity) loans that the lender's exploration obligations are limited; In this context, they refer to information from databases and reject any further credit check that is incompatible with the goal of efficient markets (Leupold / Ramharter, The violation of the duty to warn of poor creditworthiness under the Consumer Credit Act, ÖBA 2011, 469, 486).<br />
[64] 4.5. The content of the "sufficient" information according to Section 7 (1) VKrG must also be specified depending on the circumstances of the individual case. Only in this way, with the help of the statutory general clause, can the legal obligations for the wide range of consumer loans covered by Section 7 (1) VKrG - which includes financial aid within the meaning of Section 25 (1) VKrG, up to large bank loans - be made possible.<br />
[65] 4.6. This interpretation is in line with the case law of the ECJ on Article 8 (1) of the Consumer Credit Directive.<br />
[66] In the case of CA Consumer Finance SA, the ECJ made it clear that the directive does not conclusively specify the information on the basis of which the lender has to assess the creditworthiness of the consumer, nor does it specify in more detail whether and how this information is to be checked . Rather, the lender has a margin of discretion when it comes to whether the information he has is sufficient to certify the creditworthiness of the loan applicant and whether he has to check this against other criteria. The lender must therefore assess in each case, taking into account the circumstances of the individual case, whether the information available to him by the loan applicant is relevant and sufficient. Whether the information is sufficient can vary depending on the circumstances of the conclusion of the credit agreement, the personal situation of the consumer or the credit volume provided for in the contract (ECJ December 18, 2014, C-449/13, CA Consumer Finance SA, ECLI: EU : C: 2014: 2464, margin no.36 f).<br />
[67] 4.7. The lender is therefore not required to obtain information on the income or financial situation of the consumer or on both aspects in addition to obtaining information from an external credit bureau in the case of small goods loans.<br />
[68] 5.1. According to the findings, the defendant obtains information from an external credit agency before granting partial payment options to new customers and limits the loan amount to EUR 500; for existing customers, it uses any negative credit information available in the group of companies. In addition, she uses the amount of the loan for her decision-making; In addition, there are other factors that are not related to the creditworthiness within the meaning of Section 7 (1) VKrG, such as the residential address.<br />
[69] 5.2. Particularly in the case of the small loans of goods from a loan amount of EUR 200 or more that are covered by the injunction, the consideration of existing negative creditworthiness information, as can be derived from the information available in the group of companies as well as from the information provided by the credit bureau, does not appear to be entirely unsuitable for credit checks. This is also not claimed by the plaintiff association. Especially in the case of very low loan amounts (from EUR 200) it is not evident that additional knowledge of the net income (at least, unless it is associated with a detailed survey of all, even minor financial burdens) necessarily enables a more reliable assessment than the query whether due to existing “negative creditworthiness information”, the collectability of even very small loan amounts must be called into question from the outset. The same considerations apply to the need to identify the consumer's realizable assets.<br />
[70] 5.3. Whether the business practice objected to by the plaintiff association, when granting partial payment options in addition to obtaining information from an external credit agency, not to obtain information about the income and / or asset situation of consumers, violates § 7 VKrG, cannot be answered in general, but depends on the circumstances of the case.<br />
[71] It cannot be ruled out that the partial payment options granted by the defendant exist in which it is necessary to obtain information about the income situation or the financial situation of the consumer or about both. However, the request for an injunction does not focus on more specific cases, but aims to forbid the defendant, in all cases, from agreeing on partial payment purchases or partial payment options with consumers with a total credit of at least EUR 200, without information on the income situation and / or their financial position to catch up.<br />
[72] However, this request is not justified because of the discretion granted to the lender in the credit check. The revision is therefore justified insofar as it is directed against the prohibition of the objected business practice 1. The judgment of the first court had to be restored to this extent.<br />
<br />
[73] B. On the plaintiff's appeal:<br />
[74] The appeal by the plaintiff is permissible because the active legitimation of the plaintiff association according to §§ 28a, 29 KSchG to assert violations of the GDPR has not been conclusively clarified.<br />
[75] Regarding the performance period (Clause 1):<br />
[76] The appellate court set the deadline for the omission of the use and the appeal to the clause 1 because of the necessary organizational measures for the EDP conversion with six months. Such a necessity is understandable in the present case, in which the inadmissible clause also affects the settlement of all ongoing partial payment contracts (see RS0041265 [T12]). The performance deadline set by the court of appeal is therefore not objectionable in the present individual case.<br />
[77] Regarding business practice 2:<br />
[78] The defendant's business practice of carrying out the credit check when lending is based on a scoring without giving the consumer the right to express his own point of view and contest his classification is objected to.<br />
[79] With this request for an injunction, the plaintiff did not object to the "internal scoring" practiced by the defendant, but to the decision based on the classification made by the external credit agency. The procedure violates Art 22 GDPR for reasons explained in detail.<br />
[80] The defendant objected that the plaintiff association was not granted any active legitimation regarding data protection information obligations. The alleged violation of Art 22 GDPR did not exist.<br />
[81] The first court dismissed the claim because the defendant's approach was in accordance with Section 7 VKrG and Article 22 GDPR.<br />
[82] The appellate court confirmed the dismissal of the action on the grounds that the plaintiff association lacks the active legitimation to assert data protection violations.<br />
[83] As a significant legal issue, the appeal claims that the appellate court disregarded the fact that the systematic violation of Art 22 GDPR occurred in connection with consumer credit relationships, so that the collective action according to § 28a KSchG was opened.<br />
[84] 1. In proceedings 6 Ob 77 / 20x, the Supreme Court submitted the following question to the European Court of Justice for a preliminary ruling (RS0133358):<br />
Are the regulations in Chapter VIII, in particular in Art. 80 Paragraphs 1 and 2 and Art. 84 Paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons during processing personal data, on the free movement of data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation, OJ L 119/1 of May 4, 2016, p. 1; hereinafter "GDPR") contrary to national regulations that - in addition to the powers of intervention of the supervisory authorities responsible for monitoring and enforcement of the regulation and the legal protection options of the data subjects - on the one hand, to grant competitors and, on the other hand, the authority to associations, institutions and chambers authorized under national law, regardless of the violation of specific rights of individual data subjects, because of violations of the GDPR and without the instruction of a person concerned against the infringer by way of an action before the civil courts under the Ges Prohibition of engaging in unfair business practices or violating consumer protection law or prohibiting the use of ineffective general terms and conditions?<br />
[85] 2.1. The plaintiff in the present proceedings is the same association authorized to take legal action under § 29 KSchG who intervenes on 6 Ob 77 / 20x - there based on § 28 KSchG. In the present proceedings, based on § 28a KSchG, he seeks the omission of a business practice used by the defendant in connection with consumer credit relationships, which violates the GDPR.<br />
[86] 2.2. The question of whether the plaintiff is legitimized to assert violations of the GDPR by way of a representative action according to § 29 KSchG is also relevant for the decision of the present legal dispute, because the question of whether the Union legislature with the legal protection instruments provided for in the GDPR is possibly a wanted to create a final regulation for the enforcement of data protection violations, also for lawsuits against business practices that are in connection with the legal relationships mentioned in § 28a KSchG, is essential for the decision.<br />
[87] For example, the Supreme Court referred its request for a preliminary ruling on 6 Ob 77 / 20x also to the representative action "from the point of view of a violation of a consumer protection law" - i.e. in accordance with § 28a KSchG - (cf. . 2020, I ZR 186/17 [Rz 47, 57 ff]).<br />
[88] 3. The Supreme Court of Justice has to assume a general effect of the preliminary ruling of the European Court of Justice and to apply this also for other than the immediate case. For reasons of process economy, the present procedure must therefore be interrupted (RS0110583).<br />
<br />
[89] C. Regarding the publication requests:<br />
[90] Because of the interruption of the proceedings with regard to the request for an injunction regarding business practice 2 (violation of the GDPR), the requests for publication made by both parties cannot be conclusively decided. A partial judgment is not appropriate here because further publication after the final judgment is available would entail additional costs that would not be incurred in the case of joint publication (Ciresa, Handbuch der Judgment Publication4 [2017] margin no. 4.28; RS0079937 [T1]).<br />
<br />
[91] D. Decision on costs:<br />
[92] The reservation of costs is based on Section 52 (4) ZPO.<br />
<br />
<br />
European Case Law Identifier<br />
ECLI: AT: OGH0002: 2021: 0060OB00048.21H.0806.000<br />
<br />
<br />
</pre></div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20057Article 4 GDPR2021-09-23T15:20:20Z<p>JS: </p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}<br />
{{Recital/15 GDPR}}<br />
{{Recital/26 GDPR}}<br />
{{Recital/27 GDPR}}<br />
{{Recital/29 GDPR}}<br />
{{Recital/30 GDPR}}<br />
===Processing===<br />
{{Recital/15 GDPR}}<br />
===Restriction of Processing ===<br />
{{Recital/67 GDPR}}<br />
===Profiling ===<br />
{{Recital/24 GDPR}}<br />
{{Recital/30 GDPR}}<br />
{{Recital/60 GDPR}}<br />
{{Recital/71 GDPR}}<br />
===Pseudonymisation===<br />
{{Recital/26 GDPR}}<br />
{{Recital/28 GDPR}}<br />
{{Recital/29 GDPR}}<br />
===Filing System===<br />
{{Recital/15 GDPR}}<br />
===Controller ===<br />
{{Recital/79 GDPR}}<br />
===Processor===<br />
{{Recital/81 GDPR}}<br />
===Recipient ===<br />
{{Recital/31 GDPR}}<br />
===Third Party===<br />
{{Recital/47 GDPR}}<br />
===Consent===<br />
{{Recital/32 GDPR}}<br />
{{Recital/33 GDPR}}<br />
{{Recital/42 GDPR}}<br />
{{Recital/43 GDPR}}<br />
===Genetic Data===<br />
{{Recital/34 GDPR}}<br />
===Biometric Data ===<br />
{{Recital/51 GDPR}}<br />
===Data Concerning Health===<br />
{{Recital/35 GDPR}}<br />
{{Recital/54 GDPR}}<br />
===Main Establishment===<br />
{{Recital/22 GDPR}}<br />
{{Recital/36 GDPR}}<br />
=== Representative ===<br />
{{Recital/80 GDPR}}<br />
===Enterprise===<br />
{{Recital/13 GDPR}}<br />
===Group of Undertakings===<br />
{{Recital/37 GDPR}}<br />
{{Recital/48 GDPR}}<br />
===Binding Corporate Rules===<br />
{{Recital/110 GDPR}}<br />
=== Supervisory Authority===<br />
{{Recital/117 GDPR}}<br />
{{Recital/122 GDPR}}<br />
{{Recital/123 GDPR}}<br />
===Supervisory Authority Concerned ===<br />
{{Recital/124 GDPR}}<br />
===Cross-Border-Processing===<br />
{{Recital/22 GDPR}}<br />
{{Recital/124 GDPR}}<br />
===Relevant and Reasoned Objection===<br />
{{Recital/124 GDPR}}<br />
===Information Society Service===<br />
{{Recital/21 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating To====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable ====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural Person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
====Further Examples for Personal Data Subject to the CJEU====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing ===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
*'''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).</ref><br />
*'''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
*'''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
*'''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
*'''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
*'''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
*'''Alteration''' (changes to the form or content of data), such as corrections, pseudonymisation or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
*'''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
*'''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
*'''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
*'''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company.<br />
*'''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
*'''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
*'''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
*'''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
*'''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
*'''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
*'''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref><br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of Processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref><br />
<br />
Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.<ref>Recital 30 sentence 1 GDPR.</ref> as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore<br />
<br />
*Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref><br />
*Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref><br />
*Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref><br />
<br />
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR, such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref><br />
<br />
===(5) Pseudonymisation===<br />
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.<br />
<br />
Examples for the pseudonymisation of personal data include:<br />
<br />
*Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref><br />
* Encryption or hashing of data<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref><br />
*Pixelation of video materials<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref> <br />
<br />
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> And while some scholars argue for a ‘subjective anonymisation’,<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).</ref> the party undertaking the pseudonymisation is typically able to reassign the data subject.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).</ref><br />
<br />
In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref><br />
<br />
*Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]])<br />
*Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]])<br />
*Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]])<br />
*Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]])<br />
*Implementing Data Protection by Design and Default ([[Article 25 GDPR]])<br />
<br />
===(6) Filing System===<br />
The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]). It is complementing the approach of technological neutrality followed by the GDPR.<br />
<br />
A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> This is already satisfied, when personal data on a particular person is retrievable.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'', C-25/17, Johovan Todistajat, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref><br />
<br />
The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref><br />
<br />
Other examples are:<br />
<br />
*Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
*Saved letter-correspondence with customers<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
*Covid-19-Guest-Lists sorted by date<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref><br />
<br />
===(7) Controller===<br />
The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> In this regard, it the controller is to be distinguished from the processor, which is explained in further detail in Article 4(8) GDPR.<br />
<br />
The responsibilities of the controller are defined in [[Article 24 GDPR]]. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR.<br />
<br />
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co controllership’, the entities have to determine their respective responsibilities for the processing within an agreement, according to [[Article 26 GDPR]]. Important, however, is the factual influence on the processing of the personal data,<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> see also Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref><br />
<br />
For example, a joint controllership is assumed between<br />
<br />
* Search-Engines-Operators and the websites of which information is structured, presented and complemented with advertisements within search results<ref>''CJEU'', C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 here]), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.</ref><br />
* Facebook and Administrators of Fan Pages on its social network<ref>''CJEU'', C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available [https://curia.europa.eu/juris/liste.jsf?num=C-210/16 here]), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.</ref><br />
*Facebook and Websites that integrated a ‘Like Button’<ref>''CJEU'', C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-40/17 here]), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.</ref><br />
<br />
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller according to [[Article 26 GDPR]]. For further information see the commentary on that provision.<br />
<br />
===(8) Processor ===<br />
The processor is the next entity facing obligations from several provisions across the GDPR, complementing the concept of the controller explained in Article 4(7) GDPR. Any natural, legal person, public authority, agency or body that processes personal data on behalf of the controller qualifies as a processor.<br />
<br />
The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref> Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref><br />
<br />
Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> developed some examples as references for controller-processor relationships:<br />
<br />
*Outsourcing of Callcenters for Customer Communications<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
*Outsourcing of Mail Services<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
*Cloud Hosting and Grid Computing<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]) and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).]</ref><br />
*A Separated Entity Specialized in Data Processing within a Group of Companies<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref><br />
<br />
When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of special relevance is [[Article 28 GDPR]], that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on [[Article 28 GDPR|Article 28(3) GDPR]].<br />
<br />
A special form of the processor is the ‘sub processor’ engaged by the processor, which requires another processing agreement and authorisation through the controller. For further information see the commentary on [[Article 28 GDPR|Article 28(2),(4) GDPR]].<br />
<br />
===(9) Recipient===<br />
Another entity defined in the GDPR is the recipient. The notion of the recipient is kept very broadly, i.e. any party which personal data is disclosed to, independently of whether it is a third party or not. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]).</ref><br />
<br />
The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,<ref>More precise, [[Article 13 GDPR|Article 13(1)(e) GDPR]], [[Article 14 GDPR|Article 14(1)(e) GDPR]], [[Article 15 GDPR|Article 15(1)(c) GDPR]].</ref> the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind is, that the controller whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).</ref><br />
<br />
In this regard, it is discussed, whether a processor is also a recipient. One the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.<ref>See Article 4(8) GDPR and Article 4(10) GDPR.</ref> However, the concept of the recipient is completely independent of that of the third-party.<ref>See Article 4(9) GDPR, “whether a third party or not“.</ref> With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, [[Article 28 GDPR]] does not relieve the controller to inform the data subjects about its processors as recipients according to [[Article 13 GDPR|Article 13 to 15 GDPR]].<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).</ref><br />
<br />
Not considered a recipient are, on the other hand, particular units within a company, such as the staff council or dependent establishments of the controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).</ref> The wording of the provision suggests that the entity requires a particular degree of sovereignty in order to count as recipient.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 57 (C.H. Beck 2018) and ''Regenhardt'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 156 (Nomos 2018).</ref> Units that are inseparable part of the internal structure of the controller are therefore not to classify as recipients.<br />
<br />
Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref><br />
<br />
===(10) Third Party===<br />
The concept of a third party complements the previously defined entities. It constitutes a negative delimitation, as any person different from the data subject, controller, processor or any other person authorized to process personal data by the controller. Its notion becomes mainly relevant in terms of evaluating of interests, such as in Article 6 (1)(f) GDPR.<ref>See also [[Article 13 GDPR|Article 13(1)(d) GDPR]], [[Article 14 GDPR|Article 14(2)(b) GDPR]].</ref><br />
<br />
Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).</ref> Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).</ref> Similarly, internal staff of the controller is not a third party, unless the employee uses personal data for own purposes outside of the employment context.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).</ref> In this regard, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).</ref><br />
<br />
===(11) Consent===<br />
Consent is the first legal basis mentioned in Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data. It can be given either by a written, electronic or an oral statement.<ref>Recital 32 sentence 1 GDPR.</ref> Examples are ticking a box or actively choosing technical settings that indicate the data subject’s acceptance of the proposed processing of his or her personal data.<ref>Recital 32 sentence 2 GDPR.</ref><br />
<br />
The notion of consent within the GDPR is different from its constitutional equivalent in [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(2) ECFR]. Consent in the GDPR is neither a waiver of fundamental rights, nor a justification for interferences with fundamental rights.<ref>''Klement'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 7 GDPR, margin number 18 (NOMOS 2019).</ref> Rather, it should be seen as an exception from the general prohibition of processing of personal data under [[Article 6 GDPR|Article 6(1) GDPR]].<br />
<br />
To ensure that consent is not only a legal fiction, it requires additional and cumulative criteria, regulated within its definition and complemented through [[Article 7 GDPR]]. In order for consent to be valid, it has to be freely given, informed, specific and unambiguous. It is the controller’s duty to demonstrate that the data subject has given such consent to the processing of his or her personal data.<ref>[[Article 7 GDPR|Article 7(1) GDPR]], Recital 42 sentence 1 GDPR.</ref><br />
<br />
==== Freely Given ====<br />
Consent is only freely given, where there is no clear imbalance between the data subject and the controller.<ref>Recital 43 sentence 1 GDPR.</ref> Also, it shall not be considered freely given when it is conditional on the processing of personal data that is not necessary for the performance of the service.<ref>Recital 43 sentence 2 GDPR.</ref><br />
<br />
Examples where asymmetries of power and bundled consent usually occur are:<br />
<br />
*Relationships with Public Authorities<ref>Recital 43 sentence 1 GDPR, and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 98 (Carl Heymanns Verlag 2018).</ref><br />
*Employer-Employee-Relationships<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 71 (C.H. Beck 2018).</ref><br />
* Use of Major Digital Services with limited alternatives<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 73, 76 (C.H. Beck 2018).</ref><br />
<br />
====Informed====<br />
Consent needs to be provided in an intelligible and easily accessible form, using clear and plain language. Data Subjects must be able to understand the circumstances of processing of their personal data to estimate the consequences and implications of giving their consent.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin numbers 2, 5 (C.H. Beck 2020).</ref> According to recent case-law of the Court of Justice, the information shall also be “digested” by the data subject.<ref>EUCJ, C‑61/19, Orange România, 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/liste.jsf?num=C-61/19&language=en here]).</ref> This seems to give information a more substantive and functional role. Moreover, the information has to be presented in a manner which is clearly distinguishable from other matters, like terms and conditions. For more information, see the commentary on [[Article 7 GDPR|Article 7(2) GDPR]].<br />
<br />
====Specific====<br />
In accordance with the principle of transparency from [[Article 5 GDPR|Article 5(1)(b) GDPR]] consent must be provided for specific and legitimate purposes. While consent to the processing of personal data can be given for one or multiple purposes at the same time,<ref>Recital 32 sentences 5, 6 GDPR.</ref> intentions and limitations must be formulated as precisely as possible. A blanket consent to all kinds of purposes is therefore not valid. For more information, see the commentary on [[Article 6 GDPR|Article 6(1)(a) GDPR]].<br />
<br />
====Unambiguous====<br />
Consent must be given unambiguously in the form of clear and affirmative action. Silence, pre-ticked boxes or inactivity should not constitute consent.<ref>Recital 32 sentence 3 GDPR.</ref> This has been stressed through recent case law by the Court of Justice in terms of cookies, where a pre-checked checkbox which the user must deselect to refuse his or her consent cannot demonstrate active behaviour.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/1 here]).</ref><br />
<br />
====Withdrawal====<br />
Consent can be withdrawn at any time. Withdrawing of consent shall be as easy as it was giving it. The controller has to inform the data subject on the possibility to withdraw consent prior to the processing. For further information, see the commentary on [[Article 7 GDPR|Article 7(3) GDPR]].<br />
<br />
====Capacity ====<br />
Generally, consent must be given directly by the data subject or a nominated representative.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).</ref> In the case of minors, the ability to consent is based on the individual cognitive faculty of the data subject.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin number 67 (C.H. Beck 2020); ''Ernst'', Die Einwilligung nach der Datenschutzgrundverordnung, in Zeitschrift für Datenschutz, 03/07, (2017), p. 111.</ref> In the online context, [[Article 8 GDPR|Article 8(1) GDPR]] provides a minimum age of 16, while member states may not reduce that age limit to below 13.<br />
<br />
====Explicit Consent====<br />
The more qualified form of ‘explicit’ consent is required within several other provisions across the GDPR. For more detailed information, check out the commentary on [[Article 9 GDPR|Article 9(2)(a) GDPR]], [[Article 22 GDPR|Article 22(2)(c) GDPR]] and [[Article 49 GDPR|Article 49(1) GDPR]].<br />
<br />
===(12) Personal Data Breach ===<br />
A ‘personal data breach’ can be considered as any security incident regarding personal data. In this regard, the breach has to concern the processing personal data (for ‘personal data’ see Article 4(1) GDPR, for ‘processing’ Article 4(2) GDPR). Although the transmission and storage of data are explicitly highlighted, any type of processing the concerned data is sufficient.<ref>Wording: “otherwise processed”.</ref><br />
<br />
Moreover, it requires a security breach within that processing. Such are any failures of technical or organizational safeguards implemented by the controller according to [[Article 32 GDPR]]. These failures can either be caused through targeted attacks from other parties or through mishandling of personal data through the controller or persons instructed, such as its employees.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).</ref> Some examples for security breaches are:<br />
<br />
*Hacking-Attacks on systems involving personal data,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
*Missing access protection to data storages or buildings,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
*Sending data to unintended recipients,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
*Employees unlawfully distributing data to third parties,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 180 (Nomos 2018).</ref><br />
*Accidentally publishing or leaking data on website,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
*Loss of physical data carriers,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
*Destruction of data storing infrastructure,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
*Unrestorable encryption through Ransomware,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
*Unlocked storage of employee files.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
<br />
As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
<br />
The notion of a personal data breach becomes especially relevant in terms of notification and communication obligations for controllers to data subjects and DPAs according to [[Article 33 GDPR|Articles 33, 34 GDPR]]. In this regard, the EDPB can issue guidelines, recommendations and best practices for handling personal data breaches, [[Article 70 GDPR|Article 70(1)(g)(h) GDPR]].<ref>See EDPB, Guidelines 01/2021 on Examples regarding Data Breach Notification, 14 January 2021 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf here]).</ref><br />
<br />
===(13) Genetic Data===<br />
‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions the growth, metabolism, appearance, diseases or alike, both already existent or entering in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin numbers 106, 108 (Carl Heymanns Verlag 2018).</ref> Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analyses.<br />
<br />
The classification as genetic data is becoming relevant in terms of [[Article 9 GDPR|Article 9(1) GDPR]], that only allows its processing under strict requirements.<ref>Additionally, member states may maintain or introduce further conditions and limitations for the processing of genetic data, [[Article 9 GDPR|Article 9(4) GDPR]].</ref> This is due to the sensitive character of such data, that allows a unique identification of the data subject and at the same time reveals personal health data<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017).</ref> on them and biological relatives.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017); ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 182 (Nomos 2018).</ref> Especially in terms of heritage diseases, genetic data therefore carries a high risk of abuse in terms of employment and insurances.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 96 (C.H. Beck 2018).</ref><br />
<br />
=== (14) Biometric Data===<br />
‘Biometric data’ means data referring to the physical, physiological and behavioural characteristics of a natural person obtained from specific technical processing allowing for an unique identification. While this generally includes any means to analyse and measure the characteristics of humans<ref>Usually through the creation of referential patterns that are than compared with the data subject later for unique identification, see ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 183 (Nomos 2018).</ref> the technical processing and unique identification requirements place higher burdens.<br />
<br />
The definition itself gives facial images and fingerprints,<ref>Also called 'Dactyloscopic data'.</ref> as examples for biometric data. However, the requirement for specific technical processing, ensures that simple pictures or even passport photographs shall not be considered as such.<ref>Recital 51 GDPR, “''The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person''”.</ref> It is the further processing, for example through the application of facial recognition software, that renders the extracted patterns as biometric data. In this regard, also IRIS Scanners, DNS-Comparisons, voice or gait pattern analyses,<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> as well as typing patterns or even handwritten signatures<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 111 (Carl Heymanns Verlag 2018).</ref> may be considered as biometric data.<br />
<br />
Other data, that does not allow an unique identification, such as the body size or blood type, are not biometric data.<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> However, these could then fall under the definition of ‘health data’ that offers similar protection like for biometric data, according to [[Article 9 GDPR|Article 9(1) GDPR]].<br />
<br />
===(15) Data Concerning Health===<br />
‘Data concerning health’, or simply ‘health data’, means any data related to the physical or mental health of a natural person, especially the procurement of health care services revealing such information. According to Recital 35 GDPR, these include all data referring to the health status of the data subject from the past, current or future. In this regard, any information on diseases, risks, disabilities, their treatment and medical histories of a particular natural person explicitly qualify as health data.<ref>Recital 35 sentence 2 GDPR.</ref><br />
<br />
Other examples for health data are information about:<br />
<br />
*Addictions to alcohol, drugs or medications as well as the participation in self-help groups<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
*Hospitalizations, sick notes and sick payments<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
*Information the physical or mental invalidity to work<ref>''Petri'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 15 GDPR, margin number 5 (NOMOS 2019).</ref><br />
*Data from health- or fitness apps on eating or movement patterns, for example from wearables and smartphones<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 118 (Carl Heymanns Verlag 2018).</ref><br />
<br />
The notion of health data is therefore broader than ‘medicinal data’.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 59 (Deutscher Fachverlag 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018).</ref> Furthermore, it strongly overlaps with the notions of genetic and biometric data.<ref>See Recital 35, “''Personal data concerning health should include […] information derived from the testing or examination of one’s body, substances, such as genetic and biological samples''”.</ref> in order to allow a seamless high protection within the scope of [[Article 9 GDPR]].<ref>However, in some cases (e.g. the public health sector) sensitive data can be necessary to be processed without the data subjects consent, see Recital 54 GDPR.</ref> For further information, check the commentary on [[Article 9 GDPR]].<br />
<br />
===(16) Main Establishment===<br />
If a controller or a processor have establishments in more than one member states, identifying its ‘main establishment’ is the first step to recognize the lead supervisory authority in a cross-border procedure.<br />
<br />
It is the role of a data protection authorities to properly define the main establishment of an entity according to objective criteria and subsequently determine the corresponding lead authority.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> The burden of proof falls on controllers and processors to demonstrate to the relevant supervisory authorities where the relevant processing decisions are taken and implemented. In this regard, however, the WP29 stressed that the GDPR does not permit ‘forum shopping’ and conclusions cannot be based solely on statements by the organisation under review. The supervisory authorities can rebut the controller’s analysis based on an objective examination of the relevant facts, requesting further information where required.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
====Main Establishment of a Controller ====<br />
As a general rule, the main establishment of a controller should be the place of its central administration in the Union, or in other words, “''the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented''”.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 5 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> <br />
<br />
Recital 22 GDPR defines an establishment as ‘the effective and real exercise of activity through stable arrangements’. The legal form of such arrangements is irrelevant. According to the CJEU, an establishment depends on “''both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned.''”<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 29 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref> In this regard, already the presence of a single representative can constitute a stable arrangement when acting with a sufficient degree of stability and the necessary equipment to provide the specific services in the member states concerned.<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 30 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref><br />
<br />
If a controller’s main establishment is not the place of its central administration in the EU, it is necessary to determine the establishment based on where the effective and real exercise of main decisions on the purposes and means of processing take place.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 6 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> It should depend neither on the place of the processing nor the use of technical means and technologies for processing personal data or processing activities. Instead, to determine the controller’s main establishment the WP29 developed several guiding questions:<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
* Where are decisions about the purposes and means of the finally signed off’?<br />
*Where are decisions about business activities that involve data processing made?<br />
*Where does the power to have decisions implemented effectively lie?<br />
*Where is the Director with responsibility for cross border processing located?<br />
* Where is the controller or processor registered as a company?<br />
<br />
A supervisory authority may require from a controller to present additional information proving that its main establishment fulfils criteria envisaged in the GDPR.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
====Main Establishment of a Processor====<br />
Similarly to the rules for controllers, the main establishment of a processor located in multiple member states shall also be the place of its central administration. <br />
<br />
However, when there is no central administration in the Union, the rules applying to processors are formulated differently. In such cases, the main establishment of a processor is where the main processing activities take place in a Union’s establishment subject to the obligations under GDPR. This implies that the processing of personal data does not need to be carried out by the relevant establishment itself but only in in the context of its activities within the scope of the GDPR.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 235 (Oxford University Press 2020).</ref> The meaning of ‘the context of activities’ has already been specified by the CJEU, building on a broad definition of ‘establishment’ and clarifying that already the intention of a member state’s establishment to provide advertisement space for a third country undertaking is processing of personal data in the context of the Union’s establishment.<ref>CJEU, C-131/12, Google Spain, 13 May 2014, margin number 55 (available [https://curia.europa.eu/juris/liste.jsf?num=c-131/12 here]).</ref><br />
<br />
Following up on the CJEU judgement, the WP29 specified that EU law may apply to data processing activities of controllers or processors established outside the EU “''even if the local establishment is not actually taking any role in the data processing itself''”.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref> This reasoning can be based on an “''inextricable link''” between activities of an establishment in the EU and data processing by a non-EU controller or processor.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref><br />
<br />
====Cases Involving Both the Controller and the Processor====<br />
Recital 36 GDPR explains that “''in cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment''”. For further information determining the lead and concerned supervisory authorities in cross border contexts see the commentary on [[Article 56 GDPR]] and Article 4(22)-(23) GDPR.<br />
<br />
===(17) Representative===<br />
Representative are any legal or natural persons established in the union designated by a controller or processor, in accordance with [[Article 27 GDPR]]. They are not to be confused with the executive organ of the controller, but they serve as contact persons for data subjects and DPAs towards controllers and processors that are only outside the Union.<br />
<br />
In this regard, the notion of a representative becomes relevant in terms actors that are falling within the territorial scope of the GDPR without having any establishment within the union (see [[Article 3 GDPR|Article 3(2) GDPR]] and Recital 80 GDPR).<ref>According to which the GDPR applies to controllers outside the union processing personal data on subjects within the union ''“related to the offering of goods or services“'' or ''“the monitoring of their behaviour”''.</ref> In such cases, the representative becomes the addressee of enforcement proceedings in the event of non-compliance of the respective controller or processor.<ref>Recital 80 sentence 6 GDPR.</ref> This way, the representative prevents such actors only established in a third country, to become “infeasible” for data subjects and DPA’s within the union. Examples for representatives may therefore be designated employees, lawyers or whole firms established within the union.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 106 (C.H. Beck 2018).</ref><br />
<br />
The designation shall happen in a written form, containing the a mandate to represent the controller or processor under the obligations from the GDPR.<ref>Recital 80 sentences 3, 4 GDPR.</ref> At the same time. the designation of a representative does not exclude the responsibility or liability of the controller or processor themselves.<ref>Recital 80 sentence 5 GDPR.</ref> However, it remains unclear how entities not providing a representative may be tackled by the GDPR.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 204 (Nomos 2018).</ref> In this regard, especially public authorities are excluded from the designation of a representative.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 52 (C.H. Beck 2017).</ref><br />
<br />
===(18) Enterprise===<br />
An enterprise’ means any natural or legal person, partnerships or associations regularly engaged in economic activities. With this definition, the GDPR introduced a broad concept of the enterprise, irrespective of their size, legal form or interests pursued.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 127 (Carl Heymanns Verlag 2018).</ref><br />
<br />
An enterprise requires a regular engagement in economic activities, which means activities intended for a long-term and not only in an occasional manner.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 129 (Carl Heymanns Verlag 2018).</ref> Excluded from such activities are completely familiarly or personal activities (household activities, see also the commentary on [[Article 2 GDPR|Article 2(c) GDPR]]).<br />
<br />
While the English version of the GDPR distinguishes between the ‘enterprise’ and ‘undertaking’ the translation to other languages merged them into a single notion.<ref>For example, in German ("Unternehmen"), in French ("entreprise") and in Spanish ("empresa").]</ref> This causes controversy around the assessment of fines according to [[Article 83 GDPR]], which by English language refers to the term of undertaking in accordance with [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:12012E/TXT&from=EN#page=42 Articles 101, 102 TFEU] and thereby not to the definition of Article 4(18) GDPR.<ref>See Recital 150 sentence 3 GDPR.</ref> In any case, the notion is to be understood broadly when enforcing actions or determining fines on a particular entity (see commentary on [[Article 83 GDPR]]).<br />
<br />
===(19) Group of Undertakings ===<br />
A group of undertakings consists of a leading (“controlling”) entity and one or more thereof dependent (“controlled”) entities.<ref>Recital 37 sentence 1 GDPR.</ref> The central characteristic for a group of undertakings is therefore, that one entity exerts a dominant influence over the others, for example be through ownership or financial participation.<ref>Recital 37 sentence 1 GDPR.</ref> This is usually the case between a holding company and their subsidiaries.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 58 (C.H. Beck 2017).</ref><br />
<br />
In this regard, the mere possibility of exercising control over the the other entity is sufficient, a real exercise of such control is not necessary.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 76 (ottoschmidt 2018).</ref> As long as one entity has the factual power to assert its will over the other entities,<ref>For example through to have personal data protection rules implemented; see Recital 37 sentence 1 GDPR.</ref> they qualify as group of undertakings.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 78 (ottoschmidt 2018).</ref><br />
<br />
Already two undertakings are sufficient to form a group.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 80 (ottoschmidt 2018).</ref> However, a controller giving mere instructions to a processor regarding the processing of personal data does not qualify as a group of undertakings.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 221 (Nomos 2018).</ref><br />
<br />
The classification as a group of undertakings becomes relevant for several provision across the GDPR, such as <br />
<br />
* The joint designation of a Data Protection Officer ([[Article 37 GDPR|Article 37(2) GDPR]]),<br />
* The formulation of binding corporate rules (Article 4(20) GDPR, [[Article 47 GDPR]]),<br />
* The data transfer for internal administrative purposes (Recital 48 GDPR in conjunction with [[Article 6 GDPR|Article 6(1)(f) GDPR]]),<ref>''Pötters/Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 70 (Deutscher Fachverlag 2018), as “''group privilege light''”.</ref> and<br />
* The determination of the main establishment (Article 4(16) GDPR, Recital 22 GDPR).<br />
<br />
However, the notion is to be distinguished from a ‘group of enterprises engaged in a joint economic activity’ also used throughout several provisions across the GDPR. These consist on separate and independent entities, which do not exercise control over each other<ref>''Feiler, Forgó,'' EU-DSGVO, Article 4 GDPR, margin number 49 (Verlag Österreich 2017).</ref> and therefore cannot designate a single Data Protection Officer or rely on internal administrative data transfers.<br />
<br />
===(20) Binding Corporate Rules ===<br />
Binding corporate rules (short ‘BCR’) are ‘personal data protection policies’ formulated by controllers or processor established on the union for transfers of personal data outside the union within their group. In this regard, binding corporate rules constitute a legal basis to transfer personal data to third countries without an adequacy decision.<ref>See [[Article 46 GDPR|Article 46(2)(b) GDPR]].</ref> However, they only serve for for intra-corporate transfers, i.e. between entities of the concerned group of undertakings or enterprises. Transfers to entities outside of these groups are not covered by binding corporate rules.<br />
<br />
However, there are additional requirements regarding the content of such rules. According to Recital 110 GDPR, these must include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data. The rules are therefore to be previously approved by the national DPA concerned.<ref>[[Article 47 GDPR|Article 47(1) GDPR]].</ref> Furthermore, the Commission may specify the format and procedures for the exchange of information for these rules.<ref>[[Article 47 GDPR|Article 47(3) GDPR]].</ref> For more information on the requirements and the approval procedure of binding corporate rules, see therefore the commentary on [[Article 47 GDPR]].<br />
<br />
===(21) Supervisory Authority===<br />
Supervisory Authorities or ‘Data Protection Authorities’ (DPAs) are independent public authorities responsible for monitoring the application of the GDPR. The idea is, that such authorities protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union.<ref>See Article 51(1) GDPR, Recital 117 sentence 1 GDPR and [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(3) ECFR] “''Compliance with these rules shall be subject to control by an independent authority''”.</ref><br />
<br />
Member states can decide to provide only one or multiple DPAs, to reflect their constitutional, organisational and administrative structure.<ref>Recital 117 GDPR.</ref> In this regard, DPAs must be public authorities<ref>Private actors cannot serve as DPAs, see ''Polenz'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 21 GDPR, margin number 1 (NOMOS 2019).</ref> established on the national level.<ref>The European Data Protection Supervisor (EDPS) is therefore not a DPA in terms of the GDPR, see [https://gdprhub.eu/Article%2051%20GDPR Article 51(1) GDPR] and [https://gdprhub.eu/Article%2068%20GDPR Article 68(3) GDPR] “''The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor''”. It is adhering to its own [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018R1725&from=en Regulation (EU) 2018/1725], functionally overseeing and advising the European Institutions for their compliance with data protection rules.</ref> And while each supervisory authority should be competent on the territory of its own member state,<ref>Recital 112 sentence 1 GDPR.</ref> they shall cooperate, mutually assisting each other and conduct joint operations with to foster a consistent application of the GDPR in cross border contexts (see [[Article 60 GDPR|Articles 60-63 GDPR]] and Recital 123 GDPR).<br />
<br />
In this regard, DPAs may act independent (see [[Article 52 GDPR]]) and shall be provided with several competencies ([[Article 55 GDPR|Articles 55, 56 GDPR]]), Tasks ([[Article 57 GDPR]]) and Powers ([[Article 58 GDPR]]). For further information, see the particular commentary to the above mentioned articles.<br />
<br />
===(22) Supervisory authority concerned===<br />
Qualifying a supervisory authority as ‘concerned’ can result out of three situations as laid out by Article 4(22) GDPR:<br />
<br />
*For a controller or processor, when it is established in a member state of a supervisory authority,<br />
*for a data subject, when it is residing in the member state of a supervisory authority (likely) substantially affected by the processing of personal data, or<br />
*where a complaint has been lodged with that supervisory authority.<br />
<br />
====Controller or Processor Establishment====<br />
The DPA is concerned when a controller or processor is established in its jurisdiction. This implies any effective and real exercise of activity through stable arrangements,<ref>See Recital 22 sentence 2 GDPR.</ref> independent of the form of such arrangements of an actual branch or subsidiary within the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 275 (Oxford University Press 2020).</ref> This broad understanding is fostered by the EUCJ, including any real and effective activity exercised through stable agreements independently of their formalistic approach as an establishment.<ref>EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.</ref><br />
<br />
====(Likely) Substantially Affection of the Data Subject====<br />
A substantial affection, although not being further specified from the GDPR, indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 276 (Oxford University Press 2020).</ref> On the contrary, already the likelihood of such is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.<ref>For a list of relevant criteria, see ''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).</ref> In any case, this requires the data subject to reside in the member state of the DPA and therefore to have at least stable links to the state as its permanent habitual center.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).</ref> <br />
<br />
====Filing a Complaint with the Supervisory Authority====<br />
Filing a complaint with a particular supervisory authority qualifies them as a ‘concerned’ authority. Since complaints can also be fined with DPAs different from where the data subject resides,<ref>See Recital 124 sentence 3 GDPR.</ref> the supervisory authority can even be concerned without the data subject having a residence within the EU or any (likely) substantial affection. For further information on filing a complaint with a supervisory authority, see the commentary on [[Article 77 GDPR]].<br />
<br />
===(23) Cross-Border Processing===<br />
Cross border processing means any processing taking place in the<br />
<br />
(a) in the context of the activities of establishments of a controller or processor in multiple member states, or<br />
<br />
(b) in the context of a single establishment of a controller or processor in the union with (likely) substantially affects to data subjects in more than one member state.<br />
<br />
Both conditions are therefore attached to the notion of ‘establishment’, whereas (a) requires the controller or processor to have multiple establishments within different member states of the union, while (b) only requires the controller or processor to have an establishment within a single member state of the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 282 (Oxford University Press 2020).</ref> In both cases, however, the controller or processor needs to be established in at least one member state.<ref>''Polenz'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 23 GDPR, margin number 1 (NOMOS 2019).</ref><br />
<br />
====Processing in the Context of Establishments within Multiple Member States====<br />
The notion of establishment is again to be interpreted broadly. It is any effective and real exercise of activities through stable arrangements,<ref>See Recital 22 sentence 2 GDPR.</ref> independent of the formal declarations as a branch or subsidiary within the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 282 (Oxford University Press 2020); and again EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.</ref> Furthermore, the processing is not required to be carried out within the establishment itself, but can also happen in the context of its activities. If the establishment in the EU is not directly processing the personal data, an extricable link between the activities of the establishment and the processing is already sufficient.<ref>Google, EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 53, 56; EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 25.</ref> Only remote links to the processing in question may not involve another entity and therefore not form a ‘cross border processing’.<ref>For example, some commercial activity may be too far removed from the processing of personal data by an entity to bring the data processing non-EU entity within the scope of EU data protection law, see ''EDPB'', Guidelines 3/2018 on the territorial scope of the GDPR, 12 November 2019, p. 7 f. (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref><br />
<br />
====Processing (likely) to Substantially Affect Data Subject in Multiple Member States====<br />
A substantial affection, again indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 284 (Oxford University Press 2020).</ref> In this regard, already the likelihood of such is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.<ref>For a list of relevant criteria, see ''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 285 (Oxford University Press 2020).</ref><br />
<br />
The evaluation of across border processing is relevant for determining the competent lead supervisory authority in situations where the processing would concern such of multiple member states. In this regard, it contributes to the ‘one-stop-shop’-principle, which is further described within the commentary of [[Article 56 GDPR]].<br />
<br />
=== (24) Relevant and Reasoned Objection===<br />
The ‘relevant and reasoned objection’ refers to situations, in which a supervisory authority concerned<ref>See Article 4(22) GDPR.</ref> objects to a decision draft provided by a lead supervisory authority<ref>See [[Article 56 GDPR]].</ref> in terms of a cross-border-processing context.<ref>See Article 4(23) GDPR.</ref> When such objection is exercised by the supervisory authorities concerned, the lead supervisory authority can either follow the objection or submit the matter to the EDPB (see [[Article 60 GDPR|Article 60(4) GDPR]], [[Article 65 GDPR|Article 65(4) GDPR]]).<br />
<br />
In order to not overload the EDPB with submissions that are not well founded or based on weak arguments delaying decisions,<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 289 f. (Oxford University Press 2020).</ref> Article 4(24) GDPR introduces a threshold to such objections being ‘relevant’ and ‘reasoned’. In this regard, they have to show an infringement or compliance of the GDPR in opposition to the lead authorities decision draft clearly demonstrating the significance of the risks posed by the draft decision.<ref>Especially regarding the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union, see Article 4(24) GDPR.</ref><br />
<br />
An objection is therefore only relevant and reasoned, when it refers to the concrete draft of a decision and does not only contain concerns of general nature.<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 4 24 GDPR, margin number 1 (C.H. Beck 2020).</ref> This requires to provide the exact legal reasons for the objection,<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 4 24 GDPR, margin number 1 (C.H. Beck 2020).</ref> clearly stating the the non-negligible risks for the data subjects or the free flow of personal data entailed.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 290 (Oxford University Press 2020).</ref><br />
<br />
The notion of relevant and reasoned objection is to be further developed by the EDPB.<ref>See Recital 124 Sentence 4 GDPR and EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-092020-relevant-and-reasoned-objection-under_en here]).</ref> For further information on the EDPB’s criteria and procedure on elaborating a relevant and reasoned objection, check the commentary on [[Article 60 GDPR|Articles 60, 65 GDPR]].<br />
<br />
===(25) Information Society Service===<br />
For the definition on ‘information society service’ the GDPR refers to Article 1(1)(b) of [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN#page=3 Directive (EU) 2015/1535], on a procedure for the provision of information in the field of technical regulations and of rules on Information Society services. Hereafter, such services are any “normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient”.<ref>Article 1(1)(b) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref><br />
<br />
‘At a distance’ means that the service is provided without the parties being simultaneously present.<ref>Article 1(1)(b)(i) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> Thus, even when using electronic means, services provided within the physical presence of the recipient to the provider are not falling within this definition.<ref>For example, surgeries making use of electronic equipment, electronic catalogues or ticket reservations within a shop, electronic video arcade games, see Annex I(1.) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref><br />
<br />
‘By electronic means’ requires, that the service is entirely sent and received via electronic equipment for the processing and storage of data, for example through being transmitted by wire, radio, optical or other electromagnetic means.<ref>Article 1(1)(b)(ii) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> And while offline services are excluded from these services,<ref>See also see Annex I(2.) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> composite services such as the selling of goods, advertising and gaming do qualify as such.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 298 (Oxford University Press 2020); and WP29, Guidelines on consent under Regulation 2016/679, WP259 rev.01, 10 April 2018, p. 24 (available [https://ec.europa.eu/newsroom/article29/redirection/document/51030 here]).</ref><br />
<br />
An ‘individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.<ref>Article 1(1)(b)(iii) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> Services transmitting data to an unlimited number of individuals without their individual demand, such as radio broadcasting, television, teletext, are therefore not covered.<ref>See Annex I(3.) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> On the contrary, video-on-demand or pay-per-view services do qualify as information society services.<ref>EUCJ, C-89/04, Mediakabel, 2 June 2005, margin numbers 38-39 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-89/04 here]).</ref><br />
<br />
Accordingly, most online services encountered nowadays fulfil the criteria of an information society service. Typical example are:<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 301 (Oxford University Press 2020).</ref><br />
<br />
* Online legal or health services<br />
*Online libraries or newspapers<br />
*Online shopping and booking services<br />
*Online media-platforms or video games<br />
*Online search engines and web browsers<br />
<br />
The classification as information society service becomes relevant in several contexts of the GDPR, such as its material scope (see [[Article 2 GDPR|Article 2(4) GDPR]]<ref>Especially in terms of liability rules coming from Articles 12 to 15 of the [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32000L0031&from=EN#page=12 eCommerce-Directive 2000/31/EC]; see also Recital 21 GDPR]</ref>), children’s consent (see [[Article 8 GDPR|Article 8(1) GDPR]]), the right to erasure (see [[Article 17 GDPR|Article 17(1)(f) GDPR]]) or the right to object (see [[Article 21 GDPR|Article 21(5) GDPR]]). For further information in this context, see the commentary in the relevant provisions.<br />
<br />
===(26) International Organisation===<br />
An ‘international organisation’ means any organisation or subordinate bodies of such, which are governed either by public international law or set up by an agreement between two or more countries.<br />
<br />
While there is no universally accepted or further specified definition of the term coming from the GDPR, the overall definition from the Vienna Convention on the Law of Treaties from 1969<ref>Available [https://legal.un.org/ilc/texts/instruments/english/conventions/1_1_1969.pdf here].</ref> serves as a source of inspiration for interpreting EU law according to the CJEU.<ref>CJEU, C-386/08, Brita, 25 February 2010, margin number 42 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=72406&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=2557504 here]); see also ''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 305 (Oxford University Press 2020).</ref> However, Article 2(1)(i) of the [https://legal.un.org/ilc/texts/instruments/english/conventions/1_1_1969.pdf Convention] defines international organisation as ‘intergovernmental organization’, thereby failing to deliver a more specific definition. Moreover, since also both approaches to reach an international organization laid out by the GDPR, either through public international law or multilateral agreements, are not further delineated, a way broader and flexible approach to the term is suggested.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 305 (Oxford University Press 2020).</ref><br />
<br />
In this regard, most organizations, such as the United Nations (UN), the International Telecommunications Union (ITU), the World Trade Organization (WTO as well as Inter- and Europol fall under the term.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p.306 (Oxford University Press 2020).</ref> However, these examples are not exhaustive and can be infinitely extended. Only NGO’s, which are usually non-governmental organisations established as private initiatives and governed by domestic member state law, may not qualify as such.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 307 (Oxford University Press 2020).</ref><br />
<br />
The classification as international organization is relevant in terms of the additional rules placed on data transfers, according to [[Article 44 GDPR|Articles 44-50 GDPR]]. While the Data Protection Directive only regulated data flows to third party countries, the GDPR now extends the applicability of these rules to international organizations as as well.<ref>See ''Schröder'', in Kühling, Buchner, DS-GVO BDSG, Article 4 26 GDPR, margin number 2 (C.H. Beck 2020).</ref> For more information on the principles and additional safeguards placed on such transfers, see the commentary on [[Article 45 GDPR|Articles 45-49 GDPR]].<br />
<br />
===Further Definitions===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The regulation contains other articles that directly or indirectly deliver definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information check the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20056Article 4 GDPR2021-09-23T15:15:04Z<p>JS: /* Relevant Recitals */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}<br />
{{Recital/15 GDPR}}<br />
{{Recital/26 GDPR}}<br />
{{Recital/27 GDPR}}<br />
{{Recital/29 GDPR}}<br />
{{Recital/30 GDPR}}<br />
===Processing===<br />
{{Recital/15 GDPR}}<br />
===Restriction of Processing ===<br />
{{Recital/67 GDPR}}<br />
===Profiling ===<br />
{{Recital/24 GDPR}}<br />
{{Recital/30 GDPR}}<br />
{{Recital/60 GDPR}}<br />
{{Recital/71 GDPR}}<br />
===Pseudonymisation===<br />
{{Recital/26 GDPR}}<br />
{{Recital/28 GDPR}}<br />
{{Recital/29 GDPR}}<br />
===Filing System===<br />
{{Recital/15 GDPR}}<br />
===Controller ===<br />
{{Recital/79 GDPR}}<br />
===Processor===<br />
{{Recital/81 GDPR}}<br />
===Recipient ===<br />
{{Recital/31 GDPR}}<br />
===Third Party===<br />
{{Recital/47 GDPR}}<br />
===Consent===<br />
{{Recital/32 GDPR}}<br />
{{Recital/33 GDPR}}<br />
{{Recital/42 GDPR}}<br />
{{Recital/43 GDPR}}<br />
===Genetic Data===<br />
{{Recital/34 GDPR}}<br />
===Biometric Data ===<br />
{{Recital/51 GDPR}}<br />
===Data Concerning Health===<br />
{{Recital/35 GDPR}}<br />
{{Recital/54 GDPR}}<br />
===Main Establishment===<br />
{{Recital/22 GDPR}}<br />
{{Recital/36 GDPR}}<br />
=== Representative ===<br />
{{Recital/80 GDPR}}<br />
===Enterprise===<br />
{{Recital/13 GDPR}}<br />
===Group of Undertakings===<br />
{{Recital/37 GDPR}}<br />
{{Recital/48 GDPR}}<br />
===Binding Corporate Rules===<br />
{{Recital/110 GDPR}}<br />
=== Supervisory Authority===<br />
{{Recital/117 GDPR}}<br />
{{Recital/122 GDPR}}<br />
{{Recital/123 GDPR}}<br />
===Supervisory Authority Concerned ===<br />
{{Recital/124 GDPR}}<br />
===Cross-Border-Processing===<br />
{{Recital/22 GDPR}}<br />
{{Recital/124 GDPR}}<br />
===Relevant and Reasoned Objection===<br />
{{Recital/124 GDPR}}<br />
===Information Society Service===<br />
{{Recital/21 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating To====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable ====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural Person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
====Further Examples for Personal Data Subject to the CJEU====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing ===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
*'''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).</ref><br />
*'''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
*'''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
*'''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
*'''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
*'''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
*'''Alteration''' (changes to the form or content of data), such as corrections, pseudonymisation or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
*'''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
*'''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
*'''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
*'''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company.<br />
*'''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
*'''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
*'''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
*'''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
*'''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
*'''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
*'''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref><br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of Processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref><br />
<br />
Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.<ref>Recital 30 sentence 1 GDPR.</ref> as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore<br />
<br />
*Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref><br />
*Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref><br />
*Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref><br />
<br />
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR, such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref><br />
<br />
===(5) Pseudonymisation===<br />
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.<br />
<br />
Examples for the pseudonymisation of personal data include:<br />
<br />
*Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref><br />
* Encryption or hashing of data<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref><br />
*Pixelation of video materials<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref> <br />
<br />
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> And while some scholars argue for a ‘subjective anonymisation’,<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).</ref> the party undertaking the pseudonymisation is typically able to reassign the data subject.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).</ref><br />
<br />
In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref><br />
<br />
*Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]])<br />
*Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]])<br />
*Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]])<br />
*Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]])<br />
*Implementing Data Protection by Design and Default ([[Article 25 GDPR]])<br />
<br />
===(6) Filing System===<br />
The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]). It is complementing the approach of technological neutrality followed by the GDPR.<br />
<br />
A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> This is already satisfied, when personal data on a particular person is retrievable.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'', C-25/17, Johovan Todistajat, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref><br />
<br />
The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref><br />
<br />
Other examples are:<br />
<br />
*Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
*Saved letter-correspondence with customers<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
*Covid-19-Guest-Lists sorted by date<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref><br />
<br />
===(7) Controller===<br />
The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> In this regard, it the controller is to be distinguished from the processor, which is explained in further detail in Article 4(8) GDPR.<br />
<br />
The responsibilities of the controller are defined in [[Article 24 GDPR]]. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR.<br />
<br />
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co controllership’, the entities have to determine their respective responsibilities for the processing within an agreement, according to [[Article 26 GDPR]]. Important, however, is the factual influence on the processing of the personal data,<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> see also Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref><br />
<br />
For example, a joint controllership is assumed between<br />
<br />
* Search-Engines-Operators and the websites of which information is structured, presented and complemented with advertisements within search results<ref>''CJEU'', C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 here]), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.</ref><br />
* Facebook and Administrators of Fan Pages on its social network<ref>''CJEU'', C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available [https://curia.europa.eu/juris/liste.jsf?num=C-210/16 here]), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.</ref><br />
*Facebook and Websites that integrated a ‘Like Button’<ref>''CJEU'', C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-40/17 here]), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.</ref><br />
<br />
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller according to [[Article 26 GDPR]]. For further information see the commentary on that provision.<br />
<br />
===(8) Processor ===<br />
The processor is the next entity facing obligations from several provisions across the GDPR, complementing the concept of the controller explained in Article 4(7) GDPR. Any natural, legal person, public authority, agency or body that processes personal data on behalf of the controller qualifies as a processor.<br />
<br />
The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref> Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref><br />
<br />
Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> developed some examples as references for controller-processor relationships:<br />
<br />
*Outsourcing of Callcenters for Customer Communications<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
*Outsourcing of Mail Services<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
*Cloud Hosting and Grid Computing<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]) and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).]</ref><br />
*A Separated Entity Specialized in Data Processing within a Group of Companies<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref><br />
<br />
When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of special relevance is [[Article 28 GDPR]], that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on [[Article 28 GDPR|Article 28(3) GDPR]].<br />
<br />
A special form of the processor is the ‘sub processor’ engaged by the processor, which requires another processing agreement and authorisation through the controller. For further information see the commentary on [[Article 28 GDPR|Article 28(2),(4) GDPR]].<br />
<br />
===(9) Recipient===<br />
Another entity defined in the GDPR is the recipient. The notion of the recipient is kept very broadly, i.e. any party which personal data is disclosed to, independently of whether it is a third party or not. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]).</ref><br />
<br />
The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,<ref>More precise, [[Article 13 GDPR|Article 13(1)(e) GDPR]], [[Article 14 GDPR|Article 14(1)(e) GDPR]], [[Article 15 GDPR|Article 15(1)(c) GDPR]].</ref> the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind is, that the controller whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).</ref><br />
<br />
In this regard, it is discussed, whether a processor is also a recipient. One the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.<ref>See Article 4(8) GDPR and Article 4(10) GDPR.</ref> However, the concept of the recipient is completely independent of that of the third-party.<ref>See Article 4(9) GDPR, “whether a third party or not“.</ref> With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, [[Article 28 GDPR]] does not relieve the controller to inform the data subjects about its processors as recipients according to [[Article 13 GDPR|Article 13 to 15 GDPR]].<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).</ref><br />
<br />
Not considered a recipient are, on the other hand, particular units within a company, such as the staff council or dependent establishments of the controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).</ref> The wording of the provision suggests that the entity requires a particular degree of sovereignty in order to count as recipient.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 57 (C.H. Beck 2018) and ''Regenhardt'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 156 (Nomos 2018).</ref> Units that are inseparable part of the internal structure of the controller are therefore not to classify as recipients.<br />
<br />
Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref><br />
<br />
===(10) Third Party===<br />
The concept of a third party complements the previously defined entities. It constitutes a negative delimitation, as any person different from the data subject, controller, processor or any other person authorized to process personal data by the controller. Its notion becomes mainly relevant in terms of evaluating of interests, such as in Article 6 (1)(f) GDPR.<ref>See also [[Article 13 GDPR|Article 13(1)(d) GDPR]], [[Article 14 GDPR|Article 14(2)(b) GDPR]].</ref><br />
<br />
Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).</ref> Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).</ref> Similarly, internal staff of the controller is not a third party, unless the employee uses personal data for own purposes outside of the employment context.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).</ref> In this regard, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).</ref><br />
<br />
===(11) Consent===<br />
Consent is the first legal basis mentioned in Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data. It can be given either by a written, electronic or an oral statement.<ref>Recital 32 sentence 1 GDPR.</ref> Examples are ticking a box or actively choosing technical settings that indicate the data subject’s acceptance of the proposed processing of his or her personal data.<ref>Recital 32 sentence 2 GDPR.</ref><br />
<br />
The notion of consent within the GDPR is different from its constitutional equivalent in [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(2) ECFR]. Consent in the GDPR is neither a waiver of fundamental rights, nor a justification for interferences with fundamental rights.<ref>''Klement'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 7 GDPR, margin number 18 (NOMOS 2019).</ref> Rather, it should be seen as an exception from the general prohibition of processing of personal data under [[Article 6 GDPR|Article 6(1) GDPR]].<br />
<br />
To ensure that consent is not only a legal fiction, it requires additional and cumulative criteria, regulated within its definition and complemented through [[Article 7 GDPR]]. In order for consent to be valid, it has to be freely given, informed, specific and unambiguous. It is the controller’s duty to demonstrate that the data subject has given such consent to the processing of his or her personal data.<ref>[[Article 7 GDPR|Article 7(1) GDPR]], Recital 42 sentence 1 GDPR.</ref><br />
<br />
==== Freely Given ====<br />
Consent is only freely given, where there is no clear imbalance between the data subject and the controller.<ref>Recital 43 sentence 1 GDPR.</ref> Also, it shall not be considered freely given when it is conditional on the processing of personal data that is not necessary for the performance of the service.<ref>Recital 43 sentence 2 GDPR.</ref><br />
<br />
Examples where asymmetries of power and bundled consent usually occur are:<br />
<br />
*Relationships with Public Authorities<ref>Recital 43 sentence 1 GDPR, and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 98 (Carl Heymanns Verlag 2018).</ref><br />
*Employer-Employee-Relationships<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 71 (C.H. Beck 2018).</ref><br />
* Use of Major Digital Services with limited alternatives<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 73, 76 (C.H. Beck 2018).</ref><br />
<br />
====Informed====<br />
Consent needs to be provided in an intelligible and easily accessible form, using clear and plain language. Data Subjects must be able to understand the circumstances of processing of their personal data to estimate the consequences and implications of giving their consent.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin numbers 2, 5 (C.H. Beck 2020).</ref> According to recent case-law of the Court of Justice, the information shall also be “digested” by the data subject.<ref>EUCJ, C‑61/19, Orange România, 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/liste.jsf?num=C-61/19&language=en here]).</ref> This seems to give information a more substantive and functional role. Moreover, the information has to be presented in a manner which is clearly distinguishable from other matters, like terms and conditions. For more information, see the commentary on [[Article 7 GDPR|Article 7(2) GDPR]].<br />
<br />
====Specific====<br />
In accordance with the principle of transparency from [[Article 5 GDPR|Article 5(1)(b) GDPR]] consent must be provided for specific and legitimate purposes. While consent to the processing of personal data can be given for one or multiple purposes at the same time,<ref>Recital 32 sentences 5, 6 GDPR.</ref> intentions and limitations must be formulated as precisely as possible. A blanket consent to all kinds of purposes is therefore not valid. For more information, see the commentary on [[Article 6 GDPR|Article 6(1)(a) GDPR]].<br />
<br />
====Unambiguous====<br />
Consent must be given unambiguously in the form of clear and affirmative action. Silence, pre-ticked boxes or inactivity should not constitute consent.<ref>Recital 32 sentence 3 GDPR.</ref> This has been stressed through recent case law by the Court of Justice in terms of cookies, where a pre-checked checkbox which the user must deselect to refuse his or her consent cannot demonstrate active behaviour.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/1 here]).</ref><br />
<br />
====Withdrawal====<br />
Consent can be withdrawn at any time. Withdrawing of consent shall be as easy as it was giving it. The controller has to inform the data subject on the possibility to withdraw consent prior to the processing. For further information, see the commentary on [[Article 7 GDPR|Article 7(3) GDPR]].<br />
<br />
====Capacity ====<br />
Generally, consent must be given directly by the data subject or a nominated representative.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).</ref> In the case of minors, the ability to consent is based on the individual cognitive faculty of the data subject.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin number 67 (C.H. Beck 2020); ''Ernst'', Die Einwilligung nach der Datenschutzgrundverordnung, in Zeitschrift für Datenschutz, 03/07, (2017), p. 111.</ref> In the online context, [[Article 8 GDPR|Article 8(1) GDPR]] provides a minimum age of 16, while member states may not reduce that age limit to below 13.<br />
<br />
====Explicit Consent====<br />
The more qualified form of ‘explicit’ consent is required within several other provisions across the GDPR. For more detailed information, check out the commentary on [[Article 9 GDPR|Article 9(2)(a) GDPR]], [[Article 22 GDPR|Article 22(2)(c) GDPR]] and [[Article 49 GDPR|Article 49(1) GDPR]].<br />
<br />
===(12) Personal Data Breach ===<br />
A ‘personal data breach’ can be considered as any security incident regarding personal data. In this regard, the breach has to concern the processing personal data (for ‘personal data’ see Article 4(1) GDPR, for ‘processing’ Article 4(2) GDPR). Although the transmission and storage of data are explicitly highlighted, any type of processing the concerned data is sufficient.<ref>Wording: “otherwise processed”.</ref><br />
<br />
Moreover, it requires a security breach within that processing. Such are any failures of technical or organizational safeguards implemented by the controller according to [[Article 32 GDPR]]. These failures can either be caused through targeted attacks from other parties or through mishandling of personal data through the controller or persons instructed, such as its employees.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).</ref> Some examples for security breaches are:<br />
<br />
*Hacking-Attacks on systems involving personal data,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
*Missing access protection to data storages or buildings,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
*Sending data to unintended recipients,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
*Employees unlawfully distributing data to third parties,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 180 (Nomos 2018).</ref><br />
*Accidentally publishing or leaking data on website,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
*Loss of physical data carriers,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
*Destruction of data storing infrastructure,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
*Unrestorable encryption through Ransomware,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
*Unlocked storage of employee files.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
<br />
As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
<br />
The notion of a personal data breach becomes especially relevant in terms of notification and communication obligations for controllers to data subjects and DPAs according to [[Article 33 GDPR|Articles 33, 34 GDPR]]. In this regard, the EDPB can issue guidelines, recommendations and best practices for handling personal data breaches, [[Article 70 GDPR|Article 70(1)(g)(h) GDPR]].<ref>See EDPB, Guidelines 01/2021 on Examples regarding Data Breach Notification, 14 January 2021 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf here]).</ref><br />
<br />
===(13) Genetic Data===<br />
‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions the growth, metabolism, appearance, diseases or alike, both already existent or entering in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin numbers 106, 108 (Carl Heymanns Verlag 2018).</ref> Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analyses.<br />
<br />
The classification as genetic data is becoming relevant in terms of [[Article 9 GDPR|Article 9(1) GDPR]], that only allows its processing under strict requirements.<ref>Additionally, member states may maintain or introduce further conditions and limitations for the processing of genetic data, [[Article 9 GDPR|Article 9(4) GDPR]].</ref> This is due to the sensitive character of such data, that allows a unique identification of the data subject and at the same time reveals personal health data<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017).</ref> on them and biological relatives.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017); ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 182 (Nomos 2018).</ref> Especially in terms of heritage diseases, genetic data therefore carries a high risk of abuse in terms of employment and insurances.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 96 (C.H. Beck 2018).</ref><br />
<br />
=== (14) Biometric Data===<br />
‘Biometric data’ means data referring to the physical, physiological and behavioural characteristics of a natural person obtained from specific technical processing allowing for an unique identification. While this generally includes any means to analyse and measure the characteristics of humans<ref>Usually through the creation of referential patterns that are than compared with the data subject later for unique identification, see ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 183 (Nomos 2018).</ref> the technical processing and unique identification requirements place higher burdens.<br />
<br />
The definition itself gives facial images and fingerprints,<ref>Also called 'Dactyloscopic data'.</ref> as examples for biometric data. However, the requirement for specific technical processing, ensures that simple pictures or even passport photographs shall not be considered as such.<ref>Recital 51 GDPR, “''The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person''”.</ref> It is the further processing, for example through the application of facial recognition software, that renders the extracted patterns as biometric data. In this regard, also IRIS Scanners, DNS-Comparisons, voice or gait pattern analyses,<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> as well as typing patterns or even handwritten signatures<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 111 (Carl Heymanns Verlag 2018).</ref> may be considered as biometric data.<br />
<br />
Other data, that does not allow an unique identification, such as the body size or blood type, are not biometric data.<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> However, these could then fall under the definition of ‘health data’ that offers similar protection like for biometric data, according to [[Article 9 GDPR|Article 9(1) GDPR]].<br />
<br />
===(15) Data Concerning Health===<br />
‘Data concerning health’, or simply ‘health data’, means any data related to the physical or mental health of a natural person, especially the procurement of health care services revealing such information. According to Recital 35 GDPR, these include all data referring to the health status of the data subject from the past, current or future. In this regard, any information on diseases, risks, disabilities, their treatment and medical histories of a particular natural person explicitly qualify as health data.<ref>Recital 35 sentence 2 GDPR.</ref><br />
<br />
Other examples for health data are information about:<br />
<br />
*Addictions to alcohol, drugs or medications as well as the participation in self-help groups<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
*Hospitalizations, sick notes and sick payments<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
*Information the physical or mental invalidity to work<ref>''Petri'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 15 GDPR, margin number 5 (NOMOS 2019).</ref><br />
*Data from health- or fitness apps on eating or movement patterns, for example from wearables and smartphones<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 118 (Carl Heymanns Verlag 2018).</ref><br />
<br />
The notion of health data is therefore broader than ‘medicinal data’.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 59 (Deutscher Fachverlag 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018).</ref> Furthermore, it strongly overlaps with the notions of genetic and biometric data.<ref>See Recital 35, “''Personal data concerning health should include […] information derived from the testing or examination of one’s body, substances, such as genetic and biological samples''”.</ref> in order to allow a seamless high protection within the scope of [[Article 9 GDPR]].<ref>However, in some cases (e.g. the public health sector) sensitive data can be necessary to be processed without the data subjects consent, see Recital 54 GDPR.</ref> For further information, check the commentary on [[Article 9 GDPR]].<br />
<br />
===(16) Main Establishment===<br />
If a controller or a processor have establishments in more than one member states, identifying its ‘main establishment’ is the first step to recognize the lead supervisory authority in a cross-border procedure.<br />
<br />
It is the role of a data protection authorities to properly define the main establishment of an entity according to objective criteria and subsequently determine the corresponding lead authority.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> The burden of proof falls on controllers and processors to demonstrate to the relevant supervisory authorities where the relevant processing decisions are taken and implemented. In this regard, however, the WP29 stressed that the GDPR does not permit ‘forum shopping’ and conclusions cannot be based solely on statements by the organisation under review. The supervisory authorities can rebut the controller’s analysis based on an objective examination of the relevant facts, requesting further information where required.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
====Main Establishment of a Controller ====<br />
As a general rule, the main establishment of a controller should be the place of its central administration in the Union, or in other words, “''the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented''”.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 5 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> <br />
<br />
Recital 22 GDPR defines an establishment as ‘the effective and real exercise of activity through stable arrangements’. The legal form of such arrangements is irrelevant. According to the CJEU, an establishment depends on “''both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned.''”<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 29 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref> In this regard, already the presence of a single representative can constitute a stable arrangement when acting with a sufficient degree of stability and the necessary equipment to provide the specific services in the member states concerned.<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 30 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref><br />
<br />
If a controller’s main establishment is not the place of its central administration in the EU, it is necessary to determine the establishment based on where the effective and real exercise of main decisions on the purposes and means of processing take place.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 6 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> It should depend neither on the place of the processing nor the use of technical means and technologies for processing personal data or processing activities. Instead, to determine the controller’s main establishment the WP29 developed several guiding questions:<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
* Where are decisions about the purposes and means of the finally signed off’?<br />
*Where are decisions about business activities that involve data processing made?<br />
*Where does the power to have decisions implemented effectively lie?<br />
*Where is the Director with responsibility for cross border processing located?<br />
* Where is the controller or processor registered as a company?<br />
<br />
A supervisory authority may require from a controller to present additional information proving that its main establishment fulfils criteria envisaged in the GDPR.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
====Main Establishment of a Processor====<br />
Similarly to the rules for controllers, the main establishment of a processor located in multiple member states shall also be the place of its central administration. <br />
<br />
However, when there is no central administration in the Union, the rules applying to processors are formulated differently. In such cases, the main establishment of a processor is where the main processing activities take place in a Union’s establishment subject to the obligations under GDPR. This implies that the processing of personal data does not need to be carried out by the relevant establishment itself but only in in the context of its activities within the scope of the GDPR.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 235 (Oxford University Press 2020).</ref> The meaning of ‘the context of activities’ has already been specified by the CJEU, building on a broad definition of ‘establishment’ and clarifying that already the intention of a member state’s establishment to provide advertisement space for a third country undertaking is processing of personal data in the context of the Union’s establishment.<ref>CJEU, C-131/12, Google Spain, 13 May 2014, margin number 55 (available [https://curia.europa.eu/juris/liste.jsf?num=c-131/12 here]).</ref><br />
<br />
Following up on the CJEU judgement, the WP29 specified that EU law may apply to data processing activities of controllers or processors established outside the EU “''even if the local establishment is not actually taking any role in the data processing itself''”.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref> This reasoning can be based on an “''inextricable link''” between activities of an establishment in the EU and data processing by a non-EU controller or processor.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref><br />
<br />
====Cases Involving Both the Controller and the Processor====<br />
Recital 36 GDPR explains that “''in cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment''”. For further information determining the lead and concerned supervisory authorities in cross border contexts see the commentary on [[Article 56 GDPR]] and Article 4(22)-(23) GDPR.<br />
<br />
===(17) Representative===<br />
Representative are any legal or natural persons established in the union designated by a controller or processor, in accordance with [[Article 27 GDPR]]. They are not to be confused with the executive organ of the controller, but they serve as contact persons for data subjects and DPAs towards controllers and processors that are only outside the Union.<br />
<br />
In this regard, the notion of a representative becomes relevant in terms actors that are falling within the territorial scope of the GDPR without having any establishment within the union (see [[Article 3 GDPR|Article 3(2) GDPR]] and Recital 80 GDPR).<ref>According to which the GDPR applies to controllers outside the union processing personal data on subjects within the union ''“related to the offering of goods or services“'' or ''“the monitoring of their behaviour”''.</ref> In such cases, the representative becomes the addressee of enforcement proceedings in the event of non-compliance of the respective controller or processor.<ref>Recital 80 sentence 6 GDPR.</ref> This way, the representative prevents such actors only established in a third country, to become “infeasible” for data subjects and DPA’s within the union. Examples for representatives may therefore be designated employees, lawyers or whole firms established within the union.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 106 (C.H. Beck 2018).</ref><br />
<br />
The designation shall happen in a written form, containing the a mandate to represent the controller or processor under the obligations from the GDPR.<ref>Recital 80 sentences 3, 4 GDPR.</ref> At the same time. the designation of a representative does not exclude the responsibility or liability of the controller or processor themselves.<ref>Recital 80 sentence 5 GDPR.</ref> However, it remains unclear how entities not providing a representative may be tackled by the GDPR.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 204 (Nomos 2018).</ref> In this regard, especially public authorities are excluded from the designation of a representative.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 52 (C.H. Beck 2017).</ref><br />
<br />
===(18) Enterprise===<br />
An enterprise’ means any natural or legal person, partnerships or associations regularly engaged in economic activities. With this definition, the GDPR introduced a broad concept of the enterprise, irrespective of their size, legal form or interests pursued.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 127 (Carl Heymanns Verlag 2018).</ref><br />
<br />
An enterprise requires a regular engagement in economic activities, which means activities intended for a long-term and not only in an occasional manner.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 129 (Carl Heymanns Verlag 2018).</ref> Excluded from such activities are completely familiarly or personal activities (household activities, see also the commentary on [[Article 2 GDPR|Article 2(c) GDPR]]).<br />
<br />
While the English version of the GDPR distinguishes between the ‘enterprise’ and ‘undertaking’ the translation to other languages merged them into a single notion.<ref>For example, in German ("Unternehmen"), in French ("entreprise") and in Spanish ("empresa").]</ref> This causes controversy around the assessment of fines according to [[Article 83 GDPR]], which by English language refers to the term of undertaking in accordance with [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:12012E/TXT&from=EN#page=42 Articles 101, 102 TFEU] and thereby not to the definition of Article 4(18) GDPR.<ref>See Recital 150 sentence 3 GDPR.</ref> In any case, the notion is to be understood broadly when enforcing actions or determining fines on a particular entity (see commentary on [[Article 83 GDPR]]).<br />
<br />
===(19) Group of Undertakings ===<br />
A group of undertakings consists of a leading (“controlling”) entity and one or more thereof dependent (“controlled”) entities.<ref>Recital 37 sentence 1 GDPR.</ref> The central characteristic for a group of undertakings is therefore, that one entity exerts a dominant influence over the others, for example be through ownership or financial participation.<ref>Recital 37 sentence 1 GDPR.</ref> This is usually the case between a holding company and their subsidiaries.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 58 (C.H. Beck 2017).</ref><br />
<br />
In this regard, the mere possibility of exercising control over the the other entity is sufficient, a real exercise of such control is not necessary.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 76 (ottoschmidt 2018).</ref> As long as one entity has the factual power to assert its will over the other entities,<ref>For example through to have personal data protection rules implemented; see Recital 37 sentence 1 GDPR.</ref> they qualify as group of undertakings.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 78 (ottoschmidt 2018).</ref><br />
<br />
Already two undertakings are sufficient to form a group.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 80 (ottoschmidt 2018).</ref> However, a controller giving mere instructions to a processor regarding the processing of personal data does not qualify as a group of undertakings.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 221 (Nomos 2018).</ref><br />
<br />
The classification as a group of undertakings becomes relevant for several provision across the GDPR, such as <br />
<br />
- The joint designation of a Data Protection Officer ([[Article 37 GDPR|Article 37(2) GDPR]]),<br />
<br />
- The formulation of binding corporate rules (Article 4(20) GDPR, [[Article 47 GDPR]]),<br />
<br />
- The data transfer for internal administrative purposes (Recital 48 GDPR in conjunction with [[Article 6 GDPR|Article 6(1)(f) GDPR]]),<ref>''Pötters/Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 70 (Deutscher Fachverlag 2018), as “''group privilege light''”.</ref> and<br />
<br />
- The determination of the main establishment (Article 4(16) GDPR, Recital 22 GDPR).<br />
<br />
However, the notion is to be distinguished from a ‘group of enterprises engaged in a joint economic activity’ also used throughout several provisions across the GDPR. These consist on separate and independent entities, which do not exercise control over each other<ref>''Feiler, Forgó,'' EU-DSGVO, Article 4 GDPR, margin number 49 (Verlag Österreich 2017).</ref> and therefore cannot designate a single Data Protection Officer or rely on internal administrative data transfers.<br />
<br />
===(20) Binding Corporate Rules ===<br />
Binding corporate rules (short ‘BCR’) are ‘personal data protection policies’ formulated by controllers or processor established on the union for transfers of personal data outside the union within their group. In this regard, binding corporate rules constitute a legal basis to transfer personal data to third countries without an adequacy decision.<ref>See [[Article 46 GDPR|Article 46(2)(b) GDPR]].</ref> However, they only serve for for intra-corporate transfers, i.e. between entities of the concerned group of undertakings or enterprises. Transfers to entities outside of these groups are not covered by binding corporate rules.<br />
<br />
However, there are additional requirements regarding the content of such rules. According to Recital 110 GDPR, these must include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data. The rules are therefore to be previously approved by the national DPA concerned.<ref>[[Article 47 GDPR|Article 47(1) GDPR]].</ref> Furthermore, the Commission may specify the format and procedures for the exchange of information for these rules.<ref>[[Article 47 GDPR|Article 47(3) GDPR]].</ref> For more information on the requirements and the approval procedure of binding corporate rules, see therefore the commentary on [[Article 47 GDPR]].<br />
<br />
===(21) Supervisory Authority===<br />
Supervisory Authorities or ‘Data Protection Authorities’ (DPAs) are independent public authorities responsible for monitoring the application of the GDPR. The idea is, that such authorities protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union.<ref>See Article 51(1) GDPR, Recital 117 sentence 1 GDPR and [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(3) ECFR] “''Compliance with these rules shall be subject to control by an independent authority''”.</ref><br />
<br />
Member states can decide to provide only one or multiple DPAs, to reflect their constitutional, organisational and administrative structure.<ref>Recital 117 GDPR.</ref> In this regard, DPAs must be public authorities<ref>Private actors cannot serve as DPAs, see ''Polenz'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 21 GDPR, margin number 1 (NOMOS 2019).</ref> established on the national level.<ref>The European Data Protection Supervisor (EDPS) is therefore not a DPA in terms of the GDPR, see [https://gdprhub.eu/Article%2051%20GDPR Article 51(1) GDPR] and [https://gdprhub.eu/Article%2068%20GDPR Article 68(3) GDPR] “''The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor''”. It is adhering to its own [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018R1725&from=en Regulation (EU) 2018/1725], functionally overseeing and advising the European Institutions for their compliance with data protection rules.</ref> And while each supervisory authority should be competent on the territory of its own member state,<ref>Recital 112 sentence 1 GDPR.</ref> they shall cooperate, mutually assisting each other and conduct joint operations with to foster a consistent application of the GDPR in cross border contexts (see [[Article 60 GDPR|Articles 60-63 GDPR]] and Recital 123 GDPR).<br />
<br />
In this regard, DPAs may act independent (see [[Article 52 GDPR]]) and shall be provided with several competencies ([[Article 55 GDPR|Articles 55, 56 GDPR]]), Tasks ([[Article 57 GDPR]]) and Powers ([[Article 58 GDPR]]). For further information, see the particular commentary to the above mentioned articles.<br />
<br />
===(22) Supervisory authority concerned===<br />
Qualifying a supervisory authority as ‘concerned’ can result out of three situations as laid out by Article 4(22) GDPR:<br />
<br />
*For a controller or processor, when it is established in a member state of a supervisory authority,<br />
*for a data subject, when it is residing in the member state of a supervisory authority (likely) substantially affected by the processing of personal data, or<br />
*where a complaint has been lodged with that supervisory authority.<br />
<br />
====Controller or Processor Establishment====<br />
The DPA is concerned when a controller or processor is established in its jurisdiction. This implies any effective and real exercise of activity through stable arrangements,<ref>See Recital 22 sentence 2 GDPR.</ref> independent of the form of such arrangements of an actual branch or subsidiary within the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 275 (Oxford University Press 2020).</ref> This broad understanding is fostered by the EUCJ, including any real and effective activity exercised through stable agreements independently of their formalistic approach as an establishment.<ref>EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.</ref><br />
<br />
====(Likely) Substantially Affection of the Data Subject====<br />
A substantial affection, although not being further specified from the GDPR, indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 276 (Oxford University Press 2020).</ref> On the contrary, already the likelihood of such is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.<ref>For a list of relevant criteria, see ''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).</ref> In any case, this requires the data subject to reside in the member state of the DPA and therefore to have at least stable links to the state as its permanent habitual center.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).</ref> <br />
<br />
====Filing a Complaint with the Supervisory Authority====<br />
Filing a complaint with a particular supervisory authority qualifies them as a ‘concerned’ authority. Since complaints can also be fined with DPAs different from where the data subject resides,<ref>See Recital 124 sentence 3 GDPR.</ref> the supervisory authority can even be concerned without the data subject having a residence within the EU or any (likely) substantial affection. For further information on filing a complaint with a supervisory authority, see the commentary on [[Article 77 GDPR]].<br />
<br />
===(23) Cross-Border Processing===<br />
Cross border processing means any processing taking place in the<br />
<br />
(a) in the context of the activities of establishments of a controller or processor in multiple member states, or<br />
<br />
(b) in the context of a single establishment of a controller or processor in the union with (likely) substantially affects to data subjects in more than one member state.<br />
<br />
Both conditions are therefore attached to the notion of ‘establishment’, whereas (a) requires the controller or processor to have multiple establishments within different member states of the union, while (b) only requires the controller or processor to have an establishment within a single member state of the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 282 (Oxford University Press 2020).</ref> In both cases, however, the controller or processor needs to be established in at least one member state.<ref>''Polenz'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 23 GDPR, margin number 1 (NOMOS 2019).</ref><br />
<br />
====Processing in the Context of Establishments within Multiple Member States====<br />
The notion of establishment is again to be interpreded broadly. It is any effective and real exercise of activities through stable arrangements,<ref>See Recital 22 sentence 2 GDPR.</ref> independent of the formal declarations as a branch or subsidiary within the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 282 (Oxford University Press 2020); and again EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.</ref> Furthermore, the processing is not required to be carried out within the establishment itself, but can also happen in the context of its activities. If the establishment in the EU is not directly processing the personal data, an extricable link between the activities of the establishment and the processing is already sufficient.<ref>Google, EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 53, 56; EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 25.</ref> Only remote links to the processing in question may not involve another entity and therefore not form a ‘cross border processing’.<ref>For example, some commercial activity may be too far removed from the processing of personal data by an entity to bring the data processing non-EU entity within the scope of EU data protection law, see ''EDPB'', Guidelines 3/2018 on the territorial scope of the GDPR, 12 November 2019, p. 7 f. (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref><br />
<br />
====Processing (likely) to Substantially Affect Data Subject in Multiple Member States====<br />
A substantial affection, again indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 284 (Oxford University Press 2020).</ref> In this regard, already the likelihood of such is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.<ref>For a list of relevant criteria, see ''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 285 (Oxford University Press 2020).</ref><br />
<br />
The evaluation of across border processing is relevant for determining the competent lead supervisory authority in situations where the processing would concern such of multiple member states. In this regard, it contributes to the ‘one-stop-shop’-principle, which is further described within the commentary of [[Article 56 GDPR]].<br />
<br />
=== (24) Relevant and Reasoned Objection===<br />
The ‘relevant and reasoned objection’ refers to situations, in which a supervisory authority concerned<ref>See Article 4(22) GDPR.</ref> objects to a decision draft provided by a lead supervisory authority<ref>See [[Article 56 GDPR]].</ref> in terms of a cross-border-processing context.<ref>See Article 4(23) GDPR.</ref> When such objection is exercised by the supervisory authorities concerned, the lead supervisory authority can either follow the objection or submit the matter to the EDPB (see [[Article 60 GDPR|Article 60(4) GDPR]], [[Article 65 GDPR|Article 65(4) GDPR]]).<br />
<br />
In order to not overload the EDPB with submissions that are not well founded or based on weak arguments delaying decisions,<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 289 f. (Oxford University Press 2020).</ref> Article 4(24) GDPR introduces a threshold to such objections being ‘relevant’ and ‘reasoned’. In this regard, they have to show an infringement or compliance of the GDPR in opposition to the lead authorities decision draft clearly demonstrating the significance of the risks posed by the draft decision.<ref>Especially regarding the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union, see Article 4(24) GDPR.</ref><br />
<br />
An objection is therefore only relevant and reasoned, when it refers to the concrete draft of a decision and does not only contain concerns of general nature.<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 4 24 GDPR, margin number 1 (C.H. Beck 2020).</ref> This requires to provide the exact legal reasons for the objection,<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 4 24 GDPR, margin number 1 (C.H. Beck 2020).</ref> clearly stating the the non-negligible risks for the data subjects or the free flow of personal data entailed.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 290 (Oxford University Press 2020).</ref><br />
<br />
The notion of relevant and reasoned objection is to be further developed by the EDPB.<ref>See Recital 124 Sentence 4 GDPR and EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-092020-relevant-and-reasoned-objection-under_en here]).</ref> For further information on the EDPB’s criteria and procedure on elaborating a relevant and reasoned objection, check the commentary on [[Article 60 GDPR|Articles 60, 65 GDPR]].<br />
<br />
===(25) Information Society Service===<br />
For the definition on ‘information society service’ the GDPR refers to Article 1(1)(b) of [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN#page=3 Directive (EU) 2015/1535], on a procedure for the provision of information in the field of technical regulations and of rules on Information Society services. Hereafter, such services are any “normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient”.<ref>Article 1(1)(b) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref><br />
<br />
‘At a distance’ means that the service is provided without the parties being simultaneously present.<ref>Article 1(1)(b)(i) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> Thus, even when using electronic means, services provided within the physical presence of the recipient to the provider are not falling within this definition.<ref>For example, surgeries making use of electronic equipment, electronic catalogues or ticket reservations within a shop, electronic video arcade games, see Annex I(1.) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref><br />
<br />
‘By electronic means’ requires, that the service is entirely sent and received via electronic equipment for the processing and storage of data, for example through being transmitted by wire, radio, optical or other electromagnetic means.<ref>Article 1(1)(b)(ii) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> And while offline services are excluded from these services,<ref>See also see Annex I(2.) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> composite services such as the selling of goods, advertising and gaming do qualify as such.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 298 (Oxford University Press 2020); and WP29, Guidelines on consent under Regulation 2016/679, WP259 rev.01, 10 April 2018, p. 24 (available [https://ec.europa.eu/newsroom/article29/redirection/document/51030 here]).</ref><br />
<br />
An ‘individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.<ref>Article 1(1)(b)(iii) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> Services transmitting data to an unlimited number of individuals without their individual demand, such as radio broadcasting, television, teletext, are therefore not covered.<ref>See Annex I(3.) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> On the contrary, video-on-demand or pay-per-view services do qualify as information society services.<ref>EUCJ, C-89/04, Mediakabel, 2 June 2005, margin numbers 38-39 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-89/04 here]).</ref><br />
<br />
Accordingly, most online services encountered nowadays fulfill the criteria of an information society service. Typical example are:<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 301 (Oxford University Press 2020).</ref><br />
<br />
* Online legal or health services<br />
*Online libraries or newspapers<br />
*Online shopping and booking services<br />
*Online media-platforms or video games<br />
*Online search engines and web browsers<br />
<br />
The classification as information society service becomes relevant in several contexts of the GDPR, such as its material scope (see [[Article 2 GDPR|Article 2(4) GDPR]]<ref>Especially in terms of liability rules coming from Articles 12 to 15 of the [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32000L0031&from=EN#page=12 eCommerce-Directive 2000/31/EC]; see also Recital 21 GDPR]</ref>), children’s consent (see [[Article 8 GDPR|Article 8(1) GDPR]]), the right to erasure (see [[Article 17 GDPR|Article 17(1)(f) GDPR]]) or the right to object (see [[Article 21 GDPR|Article 21(5) GDPR]]). For further information in this context, see the commentary in the relevant provisions.<br />
<br />
===(26) International Organisation===<br />
An ‘international organisation’ means any organisation or subordinate bodies of such, which are governed either by public international law or set up by an agreement between two or more countries.<br />
<br />
While there is no universally accepted or further specified definition of the term coming from the GDPR, the overall definition from the Vienna Convention on the Law of Treaties from 1969<ref>Available [https://legal.un.org/ilc/texts/instruments/english/conventions/1_1_1969.pdf here].</ref> serves as a source of inspiration for interpreting EU law according to the CJEU.<ref>CJEU, C-386/08, Brita, 25 February 2010, margin number 42 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=72406&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=2557504 here]); see also ''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 305 (Oxford University Press 2020).</ref> However, Article 2(1)(i) of the [https://legal.un.org/ilc/texts/instruments/english/conventions/1_1_1969.pdf Convention] defines international organisation as ‘intergovernmental organization’, thereby failing to deliver a more specific definition. Moreover, since also both approaches to reach an international organization laid out by the GDPR, either through public international law or multilateral agreements, are not further deliniated, a way broader and flexible approach to the term is suggested.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 305 (Oxford University Press 2020).</ref><br />
<br />
In this regard, most organizations, such as the United Nations (UN), the International Telecommunications Union (ITU), the World Trade Organization (WTO as well as Inter- and Europol fall under the term.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p.306 (Oxford University Press 2020).</ref> However, these examples are not exhaustive and can be infinitely extended. Only NGO’s, which are usually non-governmental organisations established as private initiatives and governed by domestic member state law, may not qualify as such.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 307 (Oxford University Press 2020).</ref><br />
<br />
The classification as international organization is relevant in terms of the additional rules placed on data transfers, according to [[Article 44 GDPR|Articles 44-50 GDPR]]. While the Data Protection Directive only regulated data flows to third party countries, the GDPR now extends the applicability of these rules to international organizations as as well.<ref>See ''Schröder'', in Kühling, Buchner, DS-GVO BDSG, Article 4 26 GDPR, margin number 2 (C.H. Beck 2020).</ref> For more information on the principles and additional safeguards placed on such transfers, see the commentary on [[Article 45 GDPR|Articles 45-49 GDPR]].<br />
<br />
===Further Definitions===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The regulation contains other articles that directly or indirectly deliver definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information check the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20055Article 4 GDPR2021-09-23T15:09:45Z<p>JS: </p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
<br />
===Processing===<br />
<br />
===Restriction of Processing ===<br />
<br />
===Profiling ===<br />
<br />
===Pseudonymisation===<br />
<br />
===Filing System===<br />
<br />
===Controller ===<br />
<br />
===Processor===<br />
<br />
===Recipient ===<br />
<br />
===Third Party===<br />
<br />
===Consent===<br />
<br />
===Personal Data Breach===<br />
<br />
===Genetic Data===<br />
<br />
===Biometric Data ===<br />
<br />
===Data Concerning Health===<br />
<br />
===Main Establishment===<br />
<br />
=== Representative ===<br />
<br />
===Enterprise===<br />
<br />
===Group of Undertakings===<br />
<br />
===Binding Corporate Rules===<br />
<br />
=== Supervisory Authority===<br />
<br />
===Supervisory Authority Concerned ===<br />
<br />
===Cross-Border-Processing===<br />
<br />
===Relevant and Reasoned Objection===<br />
<br />
===Information Society Service===<br />
<br />
===International Organisation ===<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating To====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable ====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural Person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
====Further Examples for Personal Data Subject to the CJEU====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing ===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
*'''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).</ref><br />
*'''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
*'''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
*'''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
*'''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
*'''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
*'''Alteration''' (changes to the form or content of data), such as corrections, pseudonymisation or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
*'''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
*'''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
*'''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
*'''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company.<br />
*'''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
*'''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
*'''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
*'''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
*'''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
*'''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
*'''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref><br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of Processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref><br />
<br />
Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.<ref>Recital 30 sentence 1 GDPR.</ref> as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore<br />
<br />
*Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref><br />
*Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref><br />
*Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref><br />
<br />
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR, such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref><br />
<br />
===(5) Pseudonymisation===<br />
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.<br />
<br />
Examples for the pseudonymisation of personal data include:<br />
<br />
*Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref><br />
* Encryption or hashing of data<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref><br />
*Pixelation of video materials<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref> <br />
<br />
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> And while some scholars argue for a ‘subjective anonymisation’,<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).</ref> the party undertaking the pseudonymisation is typically able to reassign the data subject.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).</ref><br />
<br />
In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref><br />
<br />
*Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]])<br />
*Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]])<br />
*Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]])<br />
*Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]])<br />
*Implementing Data Protection by Design and Default ([[Article 25 GDPR]])<br />
<br />
===(6) Filing System===<br />
The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]). It is complementing the approach of technological neutrality followed by the GDPR.<br />
<br />
A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> This is already satisfied, when personal data on a particular person is retrievable.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'', C-25/17, Johovan Todistajat, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref><br />
<br />
The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref><br />
<br />
Other examples are:<br />
<br />
*Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
*Saved letter-correspondence with customers<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
*Covid-19-Guest-Lists sorted by date<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref><br />
<br />
===(7) Controller===<br />
The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> In this regard, it the controller is to be distinguished from the processor, which is explained in further detail in Article 4(8) GDPR.<br />
<br />
The responsibilities of the controller are defined in [[Article 24 GDPR]]. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR.<br />
<br />
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co controllership’, the entities have to determine their respective responsibilities for the processing within an agreement, according to [[Article 26 GDPR]]. Important, however, is the factual influence on the processing of the personal data,<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> see also Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref><br />
<br />
For example, a joint controllership is assumed between<br />
<br />
* Search-Engines-Operators and the websites of which information is structured, presented and complemented with advertisements within search results<ref>''CJEU'', C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 here]), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.</ref><br />
* Facebook and Administrators of Fan Pages on its social network<ref>''CJEU'', C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available [https://curia.europa.eu/juris/liste.jsf?num=C-210/16 here]), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.</ref><br />
*Facebook and Websites that integrated a ‘Like Button’<ref>''CJEU'', C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-40/17 here]), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.</ref><br />
<br />
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller according to [[Article 26 GDPR]]. For further information see the commentary on that provision.<br />
<br />
===(8) Processor ===<br />
The processor is the next entity facing obligations from several provisions across the GDPR, complementing the concept of the controller explained in Article 4(7) GDPR. Any natural, legal person, public authority, agency or body that processes personal data on behalf of the controller qualifies as a processor.<br />
<br />
The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref> Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref><br />
<br />
Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> developed some examples as references for controller-processor relationships:<br />
<br />
*Outsourcing of Callcenters for Customer Communications<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
*Outsourcing of Mail Services<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
*Cloud Hosting and Grid Computing<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]) and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).]</ref><br />
*A Separated Entity Specialized in Data Processing within a Group of Companies<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref><br />
<br />
When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of special relevance is [[Article 28 GDPR]], that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on [[Article 28 GDPR|Article 28(3) GDPR]].<br />
<br />
A special form of the processor is the ‘sub processor’ engaged by the processor, which requires another processing agreement and authorisation through the controller. For further information see the commentary on [[Article 28 GDPR|Article 28(2),(4) GDPR]].<br />
<br />
===(9) Recipient===<br />
Another entity defined in the GDPR is the recipient. The notion of the recipient is kept very broadly, i.e. any party which personal data is disclosed to, independently of whether it is a third party or not. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]).</ref><br />
<br />
The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,<ref>More precise, [[Article 13 GDPR|Article 13(1)(e) GDPR]], [[Article 14 GDPR|Article 14(1)(e) GDPR]], [[Article 15 GDPR|Article 15(1)(c) GDPR]].</ref> the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind is, that the controller whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).</ref><br />
<br />
In this regard, it is discussed, whether a processor is also a recipient. One the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.<ref>See Article 4(8) GDPR and Article 4(10) GDPR.</ref> However, the concept of the recipient is completely independent of that of the third-party.<ref>See Article 4(9) GDPR, “whether a third party or not“.</ref> With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, [[Article 28 GDPR]] does not relieve the controller to inform the data subjects about its processors as recipients according to [[Article 13 GDPR|Article 13 to 15 GDPR]].<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).</ref><br />
<br />
Not considered a recipient are, on the other hand, particular units within a company, such as the staff council or dependent establishments of the controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).</ref> The wording of the provision suggests that the entity requires a particular degree of sovereignty in order to count as recipient.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 57 (C.H. Beck 2018) and ''Regenhardt'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 156 (Nomos 2018).</ref> Units that are inseparable part of the internal structure of the controller are therefore not to classify as recipients.<br />
<br />
Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref><br />
<br />
===(10) Third Party===<br />
The concept of a third party complements the previously defined entities. It constitutes a negative delimitation, as any person different from the data subject, controller, processor or any other person authorized to process personal data by the controller. Its notion becomes mainly relevant in terms of evaluating of interests, such as in Article 6 (1)(f) GDPR.<ref>See also [[Article 13 GDPR|Article 13(1)(d) GDPR]], [[Article 14 GDPR|Article 14(2)(b) GDPR]].</ref><br />
<br />
Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).</ref> Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).</ref> Similarly, internal staff of the controller is not a third party, unless the employee uses personal data for own purposes outside of the employment context.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).</ref> In this regard, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).</ref><br />
<br />
===(11) Consent===<br />
Consent is the first legal basis mentioned in Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data. It can be given either by a written, electronic or an oral statement.<ref>Recital 32 sentence 1 GDPR.</ref> Examples are ticking a box or actively choosing technical settings that indicate the data subject’s acceptance of the proposed processing of his or her personal data.<ref>Recital 32 sentence 2 GDPR.</ref><br />
<br />
The notion of consent within the GDPR is different from its constitutional equivalent in [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(2) ECFR]. Consent in the GDPR is neither a waiver of fundamental rights, nor a justification for interferences with fundamental rights.<ref>''Klement'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 7 GDPR, margin number 18 (NOMOS 2019).</ref> Rather, it should be seen as an exception from the general prohibition of processing of personal data under [[Article 6 GDPR|Article 6(1) GDPR]].<br />
<br />
To ensure that consent is not only a legal fiction, it requires additional and cumulative criteria, regulated within its definition and complemented through [[Article 7 GDPR]]. In order for consent to be valid, it has to be freely given, informed, specific and unambiguous. It is the controller’s duty to demonstrate that the data subject has given such consent to the processing of his or her personal data.<ref>[[Article 7 GDPR|Article 7(1) GDPR]], Recital 42 sentence 1 GDPR.</ref><br />
<br />
==== Freely Given ====<br />
Consent is only freely given, where there is no clear imbalance between the data subject and the controller.<ref>Recital 43 sentence 1 GDPR.</ref> Also, it shall not be considered freely given when it is conditional on the processing of personal data that is not necessary for the performance of the service.<ref>Recital 43 sentence 2 GDPR.</ref><br />
<br />
Examples where asymmetries of power and bundled consent usually occur are:<br />
<br />
*Relationships with Public Authorities<ref>Recital 43 sentence 1 GDPR, and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 98 (Carl Heymanns Verlag 2018).</ref><br />
*Employer-Employee-Relationships<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 71 (C.H. Beck 2018).</ref><br />
* Use of Major Digital Services with limited alternatives<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 73, 76 (C.H. Beck 2018).</ref><br />
<br />
====Informed====<br />
Consent needs to be provided in an intelligible and easily accessible form, using clear and plain language. Data Subjects must be able to understand the circumstances of processing of their personal data to estimate the consequences and implications of giving their consent.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin numbers 2, 5 (C.H. Beck 2020).</ref> According to recent case-law of the Court of Justice, the information shall also be “digested” by the data subject.<ref>EUCJ, C‑61/19, Orange România, 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/liste.jsf?num=C-61/19&language=en here]).</ref> This seems to give information a more substantive and functional role. Moreover, the information has to be presented in a manner which is clearly distinguishable from other matters, like terms and conditions. For more information, see the commentary on [[Article 7 GDPR|Article 7(2) GDPR]].<br />
<br />
====Specific====<br />
In accordance with the principle of transparency from [[Article 5 GDPR|Article 5(1)(b) GDPR]] consent must be provided for specific and legitimate purposes. While consent to the processing of personal data can be given for one or multiple purposes at the same time,<ref>Recital 32 sentences 5, 6 GDPR.</ref> intentions and limitations must be formulated as precisely as possible. A blanket consent to all kinds of purposes is therefore not valid. For more information, see the commentary on [[Article 6 GDPR|Article 6(1)(a) GDPR]].<br />
<br />
====Unambiguous====<br />
Consent must be given unambiguously in the form of clear and affirmative action. Silence, pre-ticked boxes or inactivity should not constitute consent.<ref>Recital 32 sentence 3 GDPR.</ref> This has been stressed through recent case law by the Court of Justice in terms of cookies, where a pre-checked checkbox which the user must deselect to refuse his or her consent cannot demonstrate active behaviour.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/1 here]).</ref><br />
<br />
====Withdrawal====<br />
Consent can be withdrawn at any time. Withdrawing of consent shall be as easy as it was giving it. The controller has to inform the data subject on the possibility to withdraw consent prior to the processing. For further information, see the commentary on [[Article 7 GDPR|Article 7(3) GDPR]].<br />
<br />
====Capacity ====<br />
Generally, consent must be given directly by the data subject or a nominated representative.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).</ref> In the case of minors, the ability to consent is based on the individual cognitive faculty of the data subject.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin number 67 (C.H. Beck 2020); ''Ernst'', Die Einwilligung nach der Datenschutzgrundverordnung, in Zeitschrift für Datenschutz, 03/07, (2017), p. 111.</ref> In the online context, [[Article 8 GDPR|Article 8(1) GDPR]] provides a minimum age of 16, while member states may not reduce that age limit to below 13.<br />
<br />
====Explicit Consent====<br />
The more qualified form of ‘explicit’ consent is required within several other provisions across the GDPR. For more detailed information, check out the commentary on [[Article 9 GDPR|Article 9(2)(a) GDPR]], [[Article 22 GDPR|Article 22(2)(c) GDPR]] and [[Article 49 GDPR|Article 49(1) GDPR]].<br />
<br />
===(12) Personal Data Breach ===<br />
A ‘personal data breach’ can be considered as any security incident regarding personal data. In this regard, the breach has to concern the processing personal data (for ‘personal data’ see Article 4(1) GDPR, for ‘processing’ Article 4(2) GDPR). Although the transmission and storage of data are explicitly highlighted, any type of processing the concerned data is sufficient.<ref>Wording: “otherwise processed”.</ref><br />
<br />
Moreover, it requires a security breach within that processing. Such are any failures of technical or organizational safeguards implemented by the controller according to [[Article 32 GDPR]]. These failures can either be caused through targeted attacks from other parties or through mishandling of personal data through the controller or persons instructed, such as its employees.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).</ref> Some examples for security breaches are:<br />
<br />
*Hacking-Attacks on systems involving personal data,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
*Missing access protection to data storages or buildings,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
*Sending data to unintended recipients,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
*Employees unlawfully distributing data to third parties,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 180 (Nomos 2018).</ref><br />
*Accidentally publishing or leaking data on website,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
*Loss of physical data carriers,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
*Destruction of data storing infrastructure,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
*Unrestorable encryption through Ransomware,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
*Unlocked storage of employee files.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
<br />
As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
<br />
The notion of a personal data breach becomes especially relevant in terms of notification and communication obligations for controllers to data subjects and DPAs according to [[Article 33 GDPR|Articles 33, 34 GDPR]]. In this regard, the EDPB can issue guidelines, recommendations and best practices for handling personal data breaches, [[Article 70 GDPR|Article 70(1)(g)(h) GDPR]].<ref>See EDPB, Guidelines 01/2021 on Examples regarding Data Breach Notification, 14 January 2021 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf here]).</ref><br />
<br />
===(13) Genetic Data===<br />
‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions the growth, metabolism, appearance, diseases or alike, both already existent or entering in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin numbers 106, 108 (Carl Heymanns Verlag 2018).</ref> Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analyses.<br />
<br />
The classification as genetic data is becoming relevant in terms of [[Article 9 GDPR|Article 9(1) GDPR]], that only allows its processing under strict requirements.<ref>Additionally, member states may maintain or introduce further conditions and limitations for the processing of genetic data, [[Article 9 GDPR|Article 9(4) GDPR]].</ref> This is due to the sensitive character of such data, that allows a unique identification of the data subject and at the same time reveals personal health data<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017).</ref> on them and biological relatives.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017); ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 182 (Nomos 2018).</ref> Especially in terms of heritage diseases, genetic data therefore carries a high risk of abuse in terms of employment and insurances.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 96 (C.H. Beck 2018).</ref><br />
<br />
=== (14) Biometric Data===<br />
‘Biometric data’ means data referring to the physical, physiological and behavioural characteristics of a natural person obtained from specific technical processing allowing for an unique identification. While this generally includes any means to analyse and measure the characteristics of humans<ref>Usually through the creation of referential patterns that are than compared with the data subject later for unique identification, see ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 183 (Nomos 2018).</ref> the technical processing and unique identification requirements place higher burdens.<br />
<br />
The definition itself gives facial images and fingerprints,<ref>Also called 'Dactyloscopic data'.</ref> as examples for biometric data. However, the requirement for specific technical processing, ensures that simple pictures or even passport photographs shall not be considered as such.<ref>Recital 51 GDPR, “''The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person''”.</ref> It is the further processing, for example through the application of facial recognition software, that renders the extracted patterns as biometric data. In this regard, also IRIS Scanners, DNS-Comparisons, voice or gait pattern analyses,<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> as well as typing patterns or even handwritten signatures<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 111 (Carl Heymanns Verlag 2018).</ref> may be considered as biometric data.<br />
<br />
Other data, that does not allow an unique identification, such as the body size or blood type, are not biometric data.<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> However, these could then fall under the definition of ‘health data’ that offers similar protection like for biometric data, according to [[Article 9 GDPR|Article 9(1) GDPR]].<br />
<br />
===(15) Data Concerning Health===<br />
‘Data concerning health’, or simply ‘health data’, means any data related to the physical or mental health of a natural person, especially the procurement of health care services revealing such information. According to Recital 35 GDPR, these include all data referring to the health status of the data subject from the past, current or future. In this regard, any information on diseases, risks, disabilities, their treatment and medical histories of a particular natural person explicitly qualify as health data.<ref>Recital 35 sentence 2 GDPR.</ref><br />
<br />
Other examples for health data are information about:<br />
<br />
*Addictions to alcohol, drugs or medications as well as the participation in self-help groups<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
*Hospitalizations, sick notes and sick payments<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
*Information the physical or mental invalidity to work<ref>''Petri'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 15 GDPR, margin number 5 (NOMOS 2019).</ref><br />
*Data from health- or fitness apps on eating or movement patterns, for example from wearables and smartphones<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 118 (Carl Heymanns Verlag 2018).</ref><br />
<br />
The notion of health data is therefore broader than ‘medicinal data’.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 59 (Deutscher Fachverlag 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018).</ref> Furthermore, it strongly overlaps with the notions of genetic and biometric data.<ref>See Recital 35, “''Personal data concerning health should include […] information derived from the testing or examination of one’s body, substances, such as genetic and biological samples''”.</ref> in order to allow a seamless high protection within the scope of [[Article 9 GDPR]].<ref>However, in some cases (e.g. the public health sector) sensitive data can be necessary to be processed without the data subjects consent, see Recital 54 GDPR.</ref> For further information, check the commentary on [[Article 9 GDPR]].<br />
<br />
===(16) Main Establishment===<br />
If a controller or a processor have establishments in more than one member states, identifying its ‘main establishment’ is the first step to recognize the lead supervisory authority in a cross-border procedure.<br />
<br />
It is the role of a data protection authorities to properly define the main establishment of an entity according to objective criteria and subsequently determine the corresponding lead authority.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> The burden of proof falls on controllers and processors to demonstrate to the relevant supervisory authorities where the relevant processing decisions are taken and implemented. In this regard, however, the WP29 stressed that the GDPR does not permit ‘forum shopping’ and conclusions cannot be based solely on statements by the organisation under review. The supervisory authorities can rebut the controller’s analysis based on an objective examination of the relevant facts, requesting further information where required.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
====Main Establishment of a Controller ====<br />
As a general rule, the main establishment of a controller should be the place of its central administration in the Union, or in other words, “''the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented''”.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 5 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> <br />
<br />
Recital 22 GDPR defines an establishment as ‘the effective and real exercise of activity through stable arrangements’. The legal form of such arrangements is irrelevant. According to the CJEU, an establishment depends on “''both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned.''”<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 29 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref> In this regard, already the presence of a single representative can constitute a stable arrangement when acting with a sufficient degree of stability and the necessary equipment to provide the specific services in the member states concerned.<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 30 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref><br />
<br />
If a controller’s main establishment is not the place of its central administration in the EU, it is necessary to determine the establishment based on where the effective and real exercise of main decisions on the purposes and means of processing take place.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 6 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> It should depend neither on the place of the processing nor the use of technical means and technologies for processing personal data or processing activities. Instead, to determine the controller’s main establishment the WP29 developed several guiding questions:<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
* Where are decisions about the purposes and means of the finally signed off’?<br />
*Where are decisions about business activities that involve data processing made?<br />
*Where does the power to have decisions implemented effectively lie?<br />
*Where is the Director with responsibility for cross border processing located?<br />
* Where is the controller or processor registered as a company?<br />
<br />
A supervisory authority may require from a controller to present additional information proving that its main establishment fulfils criteria envisaged in the GDPR.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
====Main Establishment of a Processor====<br />
Similarly to the rules for controllers, the main establishment of a processor located in multiple member states shall also be the place of its central administration. <br />
<br />
However, when there is no central administration in the Union, the rules applying to processors are formulated differently. In such cases, the main establishment of a processor is where the main processing activities take place in a Union’s establishment subject to the obligations under GDPR. This implies that the processing of personal data does not need to be carried out by the relevant establishment itself but only in in the context of its activities within the scope of the GDPR.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 235 (Oxford University Press 2020).</ref> The meaning of ‘the context of activities’ has already been specified by the CJEU, building on a broad definition of ‘establishment’ and clarifying that already the intention of a member state’s establishment to provide advertisement space for a third country undertaking is processing of personal data in the context of the Union’s establishment.<ref>CJEU, C-131/12, Google Spain, 13 May 2014, margin number 55 (available [https://curia.europa.eu/juris/liste.jsf?num=c-131/12 here]).</ref><br />
<br />
Following up on the CJEU judgement, the WP29 specified that EU law may apply to data processing activities of controllers or processors established outside the EU “''even if the local establishment is not actually taking any role in the data processing itself''”.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref> This reasoning can be based on an “''inextricable link''” between activities of an establishment in the EU and data processing by a non-EU controller or processor.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref><br />
<br />
====Cases Involving Both the Controller and the Processor====<br />
Recital 36 GDPR explains that “''in cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment''”. For further information determining the lead and concerned supervisory authorities in cross border contexts see the commentary on [[Article 56 GDPR]] and Article 4(22)-(23) GDPR.<br />
<br />
===(17) Representative===<br />
Representative are any legal or natural persons established in the union designated by a controller or processor, in accordance with [[Article 27 GDPR]]. They are not to be confused with the executive organ of the controller, but they serve as contact persons for data subjects and DPAs towards controllers and processors that are only outside the Union.<br />
<br />
In this regard, the notion of a representative becomes relevant in terms actors that are falling within the territorial scope of the GDPR without having any establishment within the union (see [[Article 3 GDPR|Article 3(2) GDPR]] and Recital 80 GDPR).<ref>According to which the GDPR applies to controllers outside the union processing personal data on subjects within the union ''“related to the offering of goods or services“'' or ''“the monitoring of their behaviour”''.</ref> In such cases, the representative becomes the addressee of enforcement proceedings in the event of non-compliance of the respective controller or processor.<ref>Recital 80 sentence 6 GDPR.</ref> This way, the representative prevents such actors only established in a third country, to become “infeasible” for data subjects and DPA’s within the union. Examples for representatives may therefore be designated employees, lawyers or whole firms established within the union.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 106 (C.H. Beck 2018).</ref><br />
<br />
The designation shall happen in a written form, containing the a mandate to represent the controller or processor under the obligations from the GDPR.<ref>Recital 80 sentences 3, 4 GDPR.</ref> At the same time. the designation of a representative does not exclude the responsibility or liability of the controller or processor themselves.<ref>Recital 80 sentence 5 GDPR.</ref> However, it remains unclear how entities not providing a representative may be tackled by the GDPR.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 204 (Nomos 2018).</ref> In this regard, especially public authorities are excluded from the designation of a representative.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 52 (C.H. Beck 2017).</ref><br />
<br />
===(18) Enterprise===<br />
An enterprise’ means any natural or legal person, partnerships or associations regularly engaged in economic activities. With this definition, the GDPR introduced a broad concept of the enterprise, irrespective of their size, legal form or interests pursued.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 127 (Carl Heymanns Verlag 2018).</ref><br />
<br />
An enterprise requires a regular engagement in economic activities, which means activities intended for a long-term and not only in an occasional manner.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 129 (Carl Heymanns Verlag 2018).</ref> Excluded from such activities are completely familiarly or personal activities (household activities, see also the commentary on [[Article 2 GDPR|Article 2(c) GDPR]]).<br />
<br />
While the English version of the GDPR distinguishes between the ‘enterprise’ and ‘undertaking’ the translation to other languages merged them into a single notion.<ref>For example, in German ("Unternehmen"), in French ("entreprise") and in Spanish ("empresa").]</ref> This causes controversy around the assessment of fines according to [[Article 83 GDPR]], which by English language refers to the term of undertaking in accordance with [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:12012E/TXT&from=EN#page=42 Articles 101, 102 TFEU] and thereby not to the definition of Article 4(18) GDPR.<ref>See Recital 150 sentence 3 GDPR.</ref> In any case, the notion is to be understood broadly when enforcing actions or determining fines on a particular entity (see commentary on [[Article 83 GDPR]]).<br />
<br />
===(19) Group of Undertakings ===<br />
A group of undertakings consists of a leading (“controlling”) entity and one or more thereof dependent (“controlled”) entities.<ref>Recital 37 sentence 1 GDPR.</ref> The central characteristic for a group of undertakings is therefore, that one entity exerts a dominant influence over the others, for example be through ownership or financial participation.<ref>Recital 37 sentence 1 GDPR.</ref> This is usually the case between a holding company and their subsidiaries.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 58 (C.H. Beck 2017).</ref><br />
<br />
In this regard, the mere possibility of exercising control over the the other entity is sufficient, a real exercise of such control is not necessary.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 76 (ottoschmidt 2018).</ref> As long as one entity has the factual power to assert its will over the other entities,<ref>For example through to have personal data protection rules implemented; see Recital 37 sentence 1 GDPR.</ref> they qualify as group of undertakings.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 78 (ottoschmidt 2018).</ref><br />
<br />
Already two undertakings are sufficient to form a group.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 80 (ottoschmidt 2018).</ref> However, a controller giving mere instructions to a processor regarding the processing of personal data does not qualify as a group of undertakings.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 221 (Nomos 2018).</ref><br />
<br />
The classification as a group of undertakings becomes relevant for several provision across the GDPR, such as <br />
<br />
- The joint designation of a Data Protection Officer ([[Article 37 GDPR|Article 37(2) GDPR]]),<br />
<br />
- The formulation of binding corporate rules (Article 4(20) GDPR, [[Article 47 GDPR]]),<br />
<br />
- The data transfer for internal administrative purposes (Recital 48 GDPR in conjunction with [[Article 6 GDPR|Article 6(1)(f) GDPR]]),<ref>''Pötters/Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 70 (Deutscher Fachverlag 2018), as “''group privilege light''”.</ref> and<br />
<br />
- The determination of the main establishment (Article 4(16) GDPR, Recital 22 GDPR).<br />
<br />
However, the notion is to be distinguished from a ‘group of enterprises engaged in a joint economic activity’ also used throughout several provisions across the GDPR. These consist on separate and independent entities, which do not exercise control over each other<ref>''Feiler, Forgó,'' EU-DSGVO, Article 4 GDPR, margin number 49 (Verlag Österreich 2017).</ref> and therefore cannot designate a single Data Protection Officer or rely on internal administrative data transfers.<br />
<br />
===(20) Binding Corporate Rules ===<br />
Binding corporate rules (short ‘BCR’) are ‘personal data protection policies’ formulated by controllers or processor established on the union for transfers of personal data outside the union within their group. In this regard, binding corporate rules constitute a legal basis to transfer personal data to third countries without an adequacy decision.<ref>See [[Article 46 GDPR|Article 46(2)(b) GDPR]].</ref> However, they only serve for for intra-corporate transfers, i.e. between entities of the concerned group of undertakings or enterprises. Transfers to entities outside of these groups are not covered by binding corporate rules.<br />
<br />
However, there are additional requirements regarding the content of such rules. According to Recital 110 GDPR, these must include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data. The rules are therefore to be previously approved by the national DPA concerned.<ref>[[Article 47 GDPR|Article 47(1) GDPR]].</ref> Furthermore, the Commission may specify the format and procedures for the exchange of information for these rules.<ref>[[Article 47 GDPR|Article 47(3) GDPR]].</ref> For more information on the requirements and the approval procedure of binding corporate rules, see therefore the commentary on [[Article 47 GDPR]].<br />
<br />
===(21) Supervisory Authority===<br />
Supervisory Authorities or ‘Data Protection Authorities’ (DPAs) are independent public authorities responsible for monitoring the application of the GDPR. The idea is, that such authorities protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union.<ref>See Article 51(1) GDPR, Recital 117 sentence 1 GDPR and [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(3) ECFR] “''Compliance with these rules shall be subject to control by an independent authority''”.</ref><br />
<br />
Member states can decide to provide only one or multiple DPAs, to reflect their constitutional, organisational and administrative structure.<ref>Recital 117 GDPR.</ref> In this regard, DPAs must be public authorities<ref>Private actors cannot serve as DPAs, see ''Polenz'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 21 GDPR, margin number 1 (NOMOS 2019).</ref> established on the national level.<ref>The European Data Protection Supervisor (EDPS) is therefore not a DPA in terms of the GDPR, see [https://gdprhub.eu/Article%2051%20GDPR Article 51(1) GDPR] and [https://gdprhub.eu/Article%2068%20GDPR Article 68(3) GDPR] “''The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor''”. It is adhering to its own [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018R1725&from=en Regulation (EU) 2018/1725], functionally overseeing and advising the European Institutions for their compliance with data protection rules.</ref> And while each supervisory authority should be competent on the territory of its own member state,<ref>Recital 112 sentence 1 GDPR.</ref> they shall cooperate, mutually assisting each other and conduct joint operations with to foster a consistent application of the GDPR in cross border contexts (see [[Article 60 GDPR|Articles 60-63 GDPR]] and Recital 123 GDPR).<br />
<br />
In this regard, DPAs may act independent (see [[Article 52 GDPR]]) and shall be provided with several competencies ([[Article 55 GDPR|Articles 55, 56 GDPR]]), Tasks ([[Article 57 GDPR]]) and Powers ([[Article 58 GDPR]]). For further information, see the particular commentary to the above mentioned articles.<br />
<br />
===(22) Supervisory authority concerned===<br />
Qualifying a supervisory authority as ‘concerned’ can result out of three situations as laid out by Article 4(22) GDPR:<br />
<br />
*For a controller or processor, when it is established in a member state of a supervisory authority,<br />
*for a data subject, when it is residing in the member state of a supervisory authority (likely) substantially affected by the processing of personal data, or<br />
*where a complaint has been lodged with that supervisory authority.<br />
<br />
====Controller or Processor Establishment====<br />
The DPA is concerned when a controller or processor is established in its jurisdiction. This implies any effective and real exercise of activity through stable arrangements,<ref>See Recital 22 sentence 2 GDPR.</ref> independent of the form of such arrangements of an actual branch or subsidiary within the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 275 (Oxford University Press 2020).</ref> This broad understanding is fostered by the EUCJ, including any real and effective activity exercised through stable agreements independently of their formalistic approach as an establishment.<ref>EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.</ref><br />
<br />
====(Likely) Substantially Affection of the Data Subject====<br />
A substantial affection, although not being further specified from the GDPR, indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 276 (Oxford University Press 2020).</ref> On the contrary, already the likelihood of such is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.<ref>For a list of relevant criteria, see ''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).</ref> In any case, this requires the data subject to reside in the member state of the DPA and therefore to have at least stable links to the state as its permanent habitual center.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).</ref> <br />
<br />
====Filing a Complaint with the Supervisory Authority====<br />
Filing a complaint with a particular supervisory authority qualifies them as a ‘concerned’ authority. Since complaints can also be fined with DPAs different from where the data subject resides,<ref>See Recital 124 sentence 3 GDPR.</ref> the supervisory authority can even be concerned without the data subject having a residence within the EU or any (likely) substantial affection. For further information on filing a complaint with a supervisory authority, see the commentary on [[Article 77 GDPR]].<br />
<br />
===(23) Cross-Border Processing===<br />
Cross border processing means any processing taking place in the<br />
<br />
(a) in the context of the activities of establishments of a controller or processor in multiple member states, or<br />
<br />
(b) in the context of a single establishment of a controller or processor in the union with (likely) substantially affects to data subjects in more than one member state.<br />
<br />
Both conditions are therefore attached to the notion of ‘establishment’, whereas (a) requires the controller or processor to have multiple establishments within different member states of the union, while (b) only requires the controller or processor to have an establishment within a single member state of the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 282 (Oxford University Press 2020).</ref> In both cases, however, the controller or processor needs to be established in at least one member state.<ref>''Polenz'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 23 GDPR, margin number 1 (NOMOS 2019).</ref><br />
<br />
====Processing in the Context of Establishments within Multiple Member States====<br />
The notion of establishment is again to be interpreded broadly. It is any effective and real exercise of activities through stable arrangements,<ref>See Recital 22 sentence 2 GDPR.</ref> independent of the formal declarations as a branch or subsidiary within the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 282 (Oxford University Press 2020); and again EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.</ref> Furthermore, the processing is not required to be carried out within the establishment itself, but can also happen in the context of its activities. If the establishment in the EU is not directly processing the personal data, an extricable link between the activities of the establishment and the processing is already sufficient.<ref>Google, EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 53, 56; EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 25.</ref> Only remote links to the processing in question may not involve another entity and therefore not form a ‘cross border processing’.<ref>For example, some commercial activity may be too far removed from the processing of personal data by an entity to bring the data processing non-EU entity within the scope of EU data protection law, see ''EDPB'', Guidelines 3/2018 on the territorial scope of the GDPR, 12 November 2019, p. 7 f. (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref><br />
<br />
====Processing (likely) to Substantially Affect Data Subject in Multiple Member States====<br />
A substantial affection, again indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 284 (Oxford University Press 2020).</ref> In this regard, already the likelihood of such is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.<ref>For a list of relevant criteria, see ''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 285 (Oxford University Press 2020).</ref><br />
<br />
The evaluation of across border processing is relevant for determining the competent lead supervisory authority in situations where the processing would concern such of multiple member states. In this regard, it contributes to the ‘one-stop-shop’-principle, which is further described within the commentary of [[Article 56 GDPR]].<br />
<br />
=== (24) Relevant and Reasoned Objection===<br />
The ‘relevant and reasoned objection’ refers to situations, in which a supervisory authority concerned<ref>See Article 4(22) GDPR.</ref> objects to a decision draft provided by a lead supervisory authority<ref>See [[Article 56 GDPR]].</ref> in terms of a cross-border-processing context.<ref>See Article 4(23) GDPR.</ref> When such objection is exercised by the supervisory authorities concerned, the lead supervisory authority can either follow the objection or submit the matter to the EDPB (see [[Article 60 GDPR|Article 60(4) GDPR]], [[Article 65 GDPR|Article 65(4) GDPR]]).<br />
<br />
In order to not overload the EDPB with submissions that are not well founded or based on weak arguments delaying decisions,<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 289 f. (Oxford University Press 2020).</ref> Article 4(24) GDPR introduces a threshold to such objections being ‘relevant’ and ‘reasoned’. In this regard, they have to show an infringement or compliance of the GDPR in opposition to the lead authorities decision draft clearly demonstrating the significance of the risks posed by the draft decision.<ref>Especially regarding the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union, see Article 4(24) GDPR.</ref><br />
<br />
An objection is therefore only relevant and reasoned, when it refers to the concrete draft of a decision and does not only contain concerns of general nature.<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 4 24 GDPR, margin number 1 (C.H. Beck 2020).</ref> This requires to provide the exact legal reasons for the objection,<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 4 24 GDPR, margin number 1 (C.H. Beck 2020).</ref> clearly stating the the non-negligible risks for the data subjects or the free flow of personal data entailed.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 290 (Oxford University Press 2020).</ref><br />
<br />
The notion of relevant and reasoned objection is to be further developed by the EDPB.<ref>See Recital 124 Sentence 4 GDPR and EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-092020-relevant-and-reasoned-objection-under_en here]).</ref> For further information on the EDPB’s criteria and procedure on elaborating a relevant and reasoned objection, check the commentary on [[Article 60 GDPR|Articles 60, 65 GDPR]].<br />
<br />
===(25) Information Society Service===<br />
For the definition on ‘information society service’ the GDPR refers to Article 1(1)(b) of [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN#page=3 Directive (EU) 2015/1535], on a procedure for the provision of information in the field of technical regulations and of rules on Information Society services. Hereafter, such services are any “normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient”.<ref>Article 1(1)(b) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref><br />
<br />
‘At a distance’ means that the service is provided without the parties being simultaneously present.<ref>Article 1(1)(b)(i) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> Thus, even when using electronic means, services provided within the physical presence of the recipient to the provider are not falling within this definition.<ref>For example, surgeries making use of electronic equipment, electronic catalogues or ticket reservations within a shop, electronic video arcade games, see Annex I(1.) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref><br />
<br />
‘By electronic means’ requires, that the service is entirely sent and received via electronic equipment for the processing and storage of data, for example through being transmitted by wire, radio, optical or other electromagnetic means.<ref>Article 1(1)(b)(ii) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> And while offline services are excluded from these services,<ref>See also see Annex I(2.) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> composite services such as the selling of goods, advertising and gaming do qualify as such.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 298 (Oxford University Press 2020); and WP29, Guidelines on consent under Regulation 2016/679, WP259 rev.01, 10 April 2018, p. 24 (available [https://ec.europa.eu/newsroom/article29/redirection/document/51030 here]).</ref><br />
<br />
An ‘individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.<ref>Article 1(1)(b)(iii) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> Services transmitting data to an unlimited number of individuals without their individual demand, such as radio broadcasting, television, teletext, are therefore not covered.<ref>See Annex I(3.) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> On the contrary, video-on-demand or pay-per-view services do qualify as information society services.<ref>EUCJ, C-89/04, Mediakabel, 2 June 2005, margin numbers 38-39 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-89/04 here]).</ref><br />
<br />
Accordingly, most online services encountered nowadays fulfill the criteria of an information society service. Typical example are:<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 301 (Oxford University Press 2020).</ref><br />
<br />
* Online legal or health services<br />
*Online libraries or newspapers<br />
*Online shopping and booking services<br />
*Online media-platforms or video games<br />
*Online search engines and web browsers<br />
<br />
The classification as information society service becomes relevant in several contexts of the GDPR, such as its material scope (see [[Article 2 GDPR|Article 2(4) GDPR]]<ref>Especially in terms of liability rules coming from Articles 12 to 15 of the [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32000L0031&from=EN#page=12 eCommerce-Directive 2000/31/EC]; see also Recital 21 GDPR]</ref>), children’s consent (see [[Article 8 GDPR|Article 8(1) GDPR]]), the right to erasure (see [[Article 17 GDPR|Article 17(1)(f) GDPR]]) or the right to object (see [[Article 21 GDPR|Article 21(5) GDPR]]). For further information in this context, see the commentary in the relevant provisions.<br />
<br />
===(26) International Organisation===<br />
An ‘international organisation’ means any organisation or subordinate bodies of such, which are governed either by public international law or set up by an agreement between two or more countries.<br />
<br />
While there is no universally accepted or further specified definition of the term coming from the GDPR, the overall definition from the Vienna Convention on the Law of Treaties from 1969<ref>Available [https://legal.un.org/ilc/texts/instruments/english/conventions/1_1_1969.pdf here].</ref> serves as a source of inspiration for interpreting EU law according to the CJEU.<ref>CJEU, C-386/08, Brita, 25 February 2010, margin number 42 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=72406&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=2557504 here]); see also ''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 305 (Oxford University Press 2020).</ref> However, Article 2(1)(i) of the [https://legal.un.org/ilc/texts/instruments/english/conventions/1_1_1969.pdf Convention] defines international organisation as ‘intergovernmental organization’, thereby failing to deliver a more specific definition. Moreover, since also both approaches to reach an international organization laid out by the GDPR, either through public international law or multilateral agreements, are not further deliniated, a way broader and flexible approach to the term is suggested.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 305 (Oxford University Press 2020).</ref><br />
<br />
In this regard, most organizations, such as the United Nations (UN), the International Telecommunications Union (ITU), the World Trade Organization (WTO as well as Inter- and Europol fall under the term.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p.306 (Oxford University Press 2020).</ref> However, these examples are not exhaustive and can be infinitely extended. Only NGO’s, which are usually non-governmental organisations established as private initiatives and governed by domestic member state law, may not qualify as such.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 307 (Oxford University Press 2020).</ref><br />
<br />
The classification as international organization is relevant in terms of the additional rules placed on data transfers, according to [[Article 44 GDPR|Articles 44-50 GDPR]]. While the Data Protection Directive only regulated data flows to third party countries, the GDPR now extends the applicability of these rules to international organizations as as well.<ref>See ''Schröder'', in Kühling, Buchner, DS-GVO BDSG, Article 4 26 GDPR, margin number 2 (C.H. Beck 2020).</ref> For more information on the principles and additional safeguards placed on such transfers, see the commentary on [[Article 45 GDPR|Articles 45-49 GDPR]].<br />
<br />
===Further Definitions===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The regulation contains other articles that directly or indirectly deliver definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information check the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20054Article 4 GDPR2021-09-23T14:53:31Z<p>JS: </p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating To====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural Person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data Subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
* '''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).</ref><br />
* '''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
* '''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
* '''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
* '''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
* '''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
* '''Alteration''' (changes to the form or content of data), such as corrections, pseudonymisation or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
* '''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
* '''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
* '''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
* '''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company. <br />
* '''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
* '''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
* '''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
* '''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
* '''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
* '''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
* '''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> <br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of Processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref><br />
<br />
Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.<ref>Recital 30 sentence 1 GDPR.</ref> as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore<br />
<br />
* Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref><br />
* Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref><br />
* Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref><br />
<br />
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR, such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref><br />
<br />
===(5) Pseudonymisation===<br />
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.<br />
<br />
Examples for the pseudonymisation of personal data include:<br />
<br />
* Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref><br />
* Encryption or hashing of data<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref><br />
* Pixelation of video materials<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref> <br />
<br />
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> And while some scholars argue for a ‘subjective anonymisation’,<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).</ref> the party undertaking the pseudonymisation is typically able to reassign the data subject.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).</ref><br />
<br />
In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref><br />
<br />
* Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]])<br />
* Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]])<br />
* Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]])<br />
* Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]])<br />
* Implementing Data Protection by Design and Default ([[Article 25 GDPR]])<br />
<br />
===(6) Filing System===<br />
The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]). It is complementing the approach of technological neutrality followed by the GDPR.<br />
<br />
A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> This is already satisfied, when personal data on a particular person is retrievable.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'', C-25/17, Johovan Todistajat, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref><br />
<br />
The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref><br />
<br />
Other examples are:<br />
<br />
* Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Saved letter-correspondence with customers<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Covid-19-Guest-Lists sorted by date<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref><br />
<br />
===(7) Controller===<br />
The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> In this regard, it the controller is to be distinguished from the processor, which is explained in further detail in Article 4(8) GDPR.<br />
<br />
The responsibilities of the controller are defined in [[Article 24 GDPR]]. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR.<br />
<br />
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co controllership’, the entities have to determine their respective responsibilities for the processing within an agreement, according to [[Article 26 GDPR]]. Important, however, is the factual influence on the processing of the personal data,<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> see also Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref><br />
<br />
For example, a joint controllership is assumed between<br />
<br />
* Search-Engines-Operators and the websites of which information is structured, presented and complemented with advertisements within search results<ref>''CJEU'', C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 here]), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.</ref><br />
* Facebook and Administrators of Fan Pages on its social network<ref>''CJEU'', C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available [https://curia.europa.eu/juris/liste.jsf?num=C-210/16 here]), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.</ref><br />
* Facebook and Websites that integrated a ‘Like Button’<ref>''CJEU'', C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-40/17 here]), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.</ref><br />
<br />
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller according to [[Article 26 GDPR]]. For further information see the commentary on that provision.<br />
<br />
===(8) Processor===<br />
The processor is the next entity facing obligations from several provisions across the GDPR, complementing the concept of the controller explained in Article 4(7) GDPR. Any natural, legal person, public authority, agency or body that processes personal data on behalf of the controller qualifies as a processor.<br />
<br />
The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref> Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref><br />
<br />
Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> developed some examples as references for controller-processor relationships:<br />
<br />
* Outsourcing of Callcenters for Customer Communications<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Outsourcing of Mail Services<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Cloud Hosting and Grid Computing<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]) and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).]</ref><br />
* A Separated Entity Specialized in Data Processing within a Group of Companies<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref><br />
<br />
When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of special relevance is [[Article 28 GDPR]], that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on [[Article 28 GDPR|Article 28(3) GDPR]].<br />
<br />
A special form of the processor is the ‘sub processor’ engaged by the processor, which requires another processing agreement and authorisation through the controller. For further information see the commentary on [[Article 28 GDPR|Article 28(2),(4) GDPR]].<br />
<br />
===(9) Recipient===<br />
Another entity defined in the GDPR is the recipient. The notion of the recipient is kept very broadly, i.e. any party which personal data is disclosed to, independently of whether it is a third party or not. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]).</ref><br />
<br />
The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,<ref>More precise, [[Article 13 GDPR|Article 13(1)(e) GDPR]], [[Article 14 GDPR|Article 14(1)(e) GDPR]], [[Article 15 GDPR|Article 15(1)(c) GDPR]].</ref> the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind is, that the controller whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).</ref><br />
<br />
In this regard, it is discussed, whether a processor is also a recipient. One the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.<ref>See Article 4(8) GDPR and Article 4(10) GDPR.</ref> However, the concept of the recipient is completely independent of that of the third-party.<ref>See Article 4(9) GDPR, “whether a third party or not“.</ref> With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, [[Article 28 GDPR]] does not relieve the controller to inform the data subjects about its processors as recipients according to [[Article 13 GDPR|Article 13 to 15 GDPR]].<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).</ref><br />
<br />
Not considered a recipient are, on the other hand, particular units within a company, such as the staff council or dependent establishments of the controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).</ref> The wording of the provision suggests that the entity requires a particular degree of sovereignty in order to count as recipient.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 57 (C.H. Beck 2018) and ''Regenhardt'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 156 (Nomos 2018).</ref> Units that are inseparable part of the internal structure of the controller are therefore not to classify as recipients.<br />
<br />
Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref><br />
<br />
===(10) Third Party===<br />
The concept of a third party complements the previously defined entities. It constitutes a negative delimitation, as any person different from the data subject, controller, processor or any other person authorized to process personal data by the controller. Its notion becomes mainly relevant in terms of evaluating of interests, such as in Article 6 (1)(f) GDPR.<ref>See also [[Article 13 GDPR|Article 13(1)(d) GDPR]], [[Article 14 GDPR|Article 14(2)(b) GDPR]].</ref><br />
<br />
Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).</ref> Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).</ref> Similarly, internal staff of the controller is not a third party, unless the employee uses personal data for own purposes outside of the employment context.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).</ref> In this regard, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).</ref><br />
<br />
===(11) Consent===<br />
Consent is the first legal basis mentioned in Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data. It can be given either by a written, electronic or an oral statement.<ref>Recital 32 sentence 1 GDPR.</ref> Examples are ticking a box or actively choosing technical settings that indicate the data subject’s acceptance of the proposed processing of his or her personal data.<ref>Recital 32 sentence 2 GDPR.</ref><br />
<br />
The notion of consent within the GDPR is different from its constitutional equivalent in [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(2) ECFR]. Consent in the GDPR is neither a waiver of fundamental rights, nor a justification for interferences with fundamental rights.<ref>''Klement'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 7 GDPR, margin number 18 (NOMOS 2019).</ref> Rather, it should be seen as an exception from the general prohibition of processing of personal data under [[Article 6 GDPR|Article 6(1) GDPR]].<br />
<br />
To ensure that consent is not only a legal fiction, it requires additional and cumulative criteria, regulated within its definition and complemented through [[Article 7 GDPR]]. In order for consent to be valid, it has to be freely given, informed, specific and unambiguous. It is the controller’s duty to demonstrate that the data subject has given such consent to the processing of his or her personal data.<ref>[[Article 7 GDPR|Article 7(1) GDPR]], Recital 42 sentence 1 GDPR.</ref><br />
<br />
==== Freely Given ====<br />
Consent is only freely given, where there is no clear imbalance between the data subject and the controller.<ref>Recital 43 sentence 1 GDPR.</ref> Also, it shall not be considered freely given when it is conditional on the processing of personal data that is not necessary for the performance of the service.<ref>Recital 43 sentence 2 GDPR.</ref><br />
<br />
Examples where asymmetries of power and bundled consent usually occur are:<br />
<br />
* Relationships with Public Authorities<ref>Recital 43 sentence 1 GDPR, and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 98 (Carl Heymanns Verlag 2018).</ref><br />
* Employer-Employee-Relationships<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 71 (C.H. Beck 2018).</ref><br />
* Use of Major Digital Services with limited alternatives<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 73, 76 (C.H. Beck 2018).</ref><br />
<br />
==== Informed ====<br />
Consent needs to be provided in an intelligible and easily accessible form, using clear and plain language. Data Subjects must be able to understand the circumstances of processing of their personal data to estimate the consequences and implications of giving their consent.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin numbers 2, 5 (C.H. Beck 2020).</ref> According to recent case-law of the Court of Justice, the information shall also be “digested” by the data subject.<ref>EUCJ, C‑61/19, Orange România, 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/liste.jsf?num=C-61/19&language=en here]).</ref> This seems to give information a more substantive and functional role. Moreover, the information has to be presented in a manner which is clearly distinguishable from other matters, like terms and conditions. For more information, see the commentary on [[Article 7 GDPR|Article 7(2) GDPR]].<br />
<br />
==== Specific ====<br />
In accordance with the principle of transparency from [[Article 5 GDPR|Article 5(1)(b) GDPR]] consent must be provided for specific and legitimate purposes. While consent to the processing of personal data can be given for one or multiple purposes at the same time,<ref>Recital 32 sentences 5, 6 GDPR.</ref> intentions and limitations must be formulated as precisely as possible. A blanket consent to all kinds of purposes is therefore not valid. For more information, see the commentary on [[Article 6 GDPR|Article 6(1)(a) GDPR]].<br />
<br />
==== Unambiguous ====<br />
Consent must be given unambiguously in the form of clear and affirmative action. Silence, pre-ticked boxes or inactivity should not constitute consent.<ref>Recital 32 sentence 3 GDPR.</ref> This has been stressed through recent case law by the Court of Justice in terms of cookies, where a pre-checked checkbox which the user must deselect to refuse his or her consent cannot demonstrate active behaviour.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/1 here]).</ref><br />
<br />
==== Withdrawal ====<br />
Consent can be withdrawn at any time. Withdrawing of consent shall be as easy as it was giving it. The controller has to inform the data subject on the possibility to withdraw consent prior to the processing. For further information, see the commentary on [[Article 7 GDPR|Article 7(3) GDPR]].<br />
<br />
==== Capacity ====<br />
Generally, consent must be given directly by the data subject or a nominated representative.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).</ref> In the case of minors, the ability to consent is based on the individual cognitive faculty of the data subject.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin number 67 (C.H. Beck 2020); ''Ernst'', Die Einwilligung nach der Datenschutzgrundverordnung, in Zeitschrift für Datenschutz, 03/07, (2017), p. 111.</ref> In the online context, [[Article 8 GDPR|Article 8(1) GDPR]] provides a minimum age of 16, while member states may not reduce that age limit to below 13.<br />
<br />
==== Explicit Consent ====<br />
The more qualified form of ‘explicit’ consent is required within several other provisions across the GDPR. For more detailed information, check out the commentary on [[Article 9 GDPR|Article 9(2)(a) GDPR]], [[Article 22 GDPR|Article 22(2)(c) GDPR]] and [[Article 49 GDPR|Article 49(1) GDPR]].<br />
<br />
===(12) Personal Data Breach ===<br />
A ‘personal data breach’ can be considered as any security incident regarding personal data. In this regard, the breach has to concern the processing personal data (for ‘personal data’ see Article 4(1) GDPR, for ‘processing’ Article 4(2) GDPR). Although the transmission and storage of data are explicitly highlighted, any type of processing the concerned data is sufficient.<ref>Wording: “otherwise processed”.</ref><br />
<br />
Moreover, it requires a security breach within that processing. Such are any failures of technical or organizational safeguards implemented by the controller according to [[Article 32 GDPR]]. These failures can either be caused through targeted attacks from other parties or through mishandling of personal data through the controller or persons instructed, such as its employees.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).</ref> Some examples for security breaches are:<br />
<br />
* Hacking-Attacks on systems involving personal data,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Missing access protection to data storages or buildings,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Sending data to unintended recipients,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Employees unlawfully distributing data to third parties,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 180 (Nomos 2018).</ref><br />
* Accidentally publishing or leaking data on website,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
* Loss of physical data carriers,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Destruction of data storing infrastructure,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unrestorable encryption through Ransomware,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unlocked storage of employee files.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
<br />
As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
<br />
The notion of a personal data breach becomes especially relevant in terms of notification and communication obligations for controllers to data subjects and DPAs according to [[Article 33 GDPR|Articles 33, 34 GDPR]]. In this regard, the EDPB can issue guidelines, recommendations and best practices for handling personal data breaches, [[Article 70 GDPR|Article 70(1)(g)(h) GDPR]].<ref>See EDPB, Guidelines 01/2021 on Examples regarding Data Breach Notification, 14 January 2021 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf here]).</ref><br />
<br />
===(13) Genetic Data===<br />
‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions the growth, metabolism, appearance, diseases or alike, both already existent or entering in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin numbers 106, 108 (Carl Heymanns Verlag 2018).</ref> Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analyses.<br />
<br />
The classification as genetic data is becoming relevant in terms of [[Article 9 GDPR|Article 9(1) GDPR]], that only allows its processing under strict requirements.<ref>Additionally, member states may maintain or introduce further conditions and limitations for the processing of genetic data, [[Article 9 GDPR|Article 9(4) GDPR]].</ref> This is due to the sensitive character of such data, that allows a unique identification of the data subject and at the same time reveals personal health data<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017).</ref> on them and biological relatives.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017); ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 182 (Nomos 2018).</ref> Especially in terms of heritage diseases, genetic data therefore carries a high risk of abuse in terms of employment and insurances.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 96 (C.H. Beck 2018).</ref><br />
<br />
===(14) Biometric Data===<br />
‘Biometric data’ means data referring to the physical, physiological and behavioural characteristics of a natural person obtained from specific technical processing allowing for an unique identification. While this generally includes any means to analyse and measure the characteristics of humans<ref>Usually through the creation of referential patterns that are than compared with the data subject later for unique identification, see ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 183 (Nomos 2018).</ref> the technical processing and unique identification requirements place higher burdens.<br />
<br />
The definition itself gives facial images and fingerprints,<ref>Also called 'Dactyloscopic data'.</ref> as examples for biometric data. However, the requirement for specific technical processing, ensures that simple pictures or even passport photographs shall not be considered as such.<ref>Recital 51 GDPR, “''The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person''”.</ref> It is the further processing, for example through the application of facial recognition software, that renders the extracted patterns as biometric data. In this regard, also IRIS Scanners, DNS-Comparisons, voice or gait pattern analyses,<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> as well as typing patterns or even handwritten signatures<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 111 (Carl Heymanns Verlag 2018).</ref> may be considered as biometric data.<br />
<br />
Other data, that does not allow an unique identification, such as the body size or blood type, are not biometric data.<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> However, these could then fall under the definition of ‘health data’ that offers similar protection like for biometric data, according to [[Article 9 GDPR|Article 9(1) GDPR]].<br />
<br />
===(15) Data Concerning Health===<br />
‘Data concerning health’, or simply ‘health data’, means any data related to the physical or mental health of a natural person, especially the procurement of health care services revealing such information. According to Recital 35 GDPR, these include all data referring to the health status of the data subject from the past, current or future. In this regard, any information on diseases, risks, disabilities, their treatment and medical histories of a particular natural person explicitly qualify as health data.<ref>Recital 35 sentence 2 GDPR.</ref><br />
<br />
Other examples for health data are information about:<br />
<br />
* Addictions to alcohol, drugs or medications as well as the participation in self-help groups<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
* Hospitalizations, sick notes and sick payments<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
* Information the physical or mental invalidity to work<ref>''Petri'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 15 GDPR, margin number 5 (NOMOS 2019).</ref><br />
* Data from health- or fitness apps on eating or movement patterns, for example from wearables and smartphones<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 118 (Carl Heymanns Verlag 2018).</ref><br />
<br />
The notion of health data is therefore broader than ‘medicinal data’.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 59 (Deutscher Fachverlag 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018).</ref> Furthermore, it strongly overlaps with the notions of genetic and biometric data.<ref>See Recital 35, “''Personal data concerning health should include […] information derived from the testing or examination of one’s body, substances, such as genetic and biological samples''”.</ref> in order to allow a seamless high protection within the scope of [[Article 9 GDPR]].<ref>However, in some cases (e.g. the public health sector) sensitive data can be necessary to be processed without the data subjects consent, see Recital 54 GDPR.</ref> For further information, check the commentary on [[Article 9 GDPR]].<br />
<br />
===(16) Main Establishment===<br />
If a controller or a processor have establishments in more than one member states, identifying its ‘main establishment’ is the first step to recognize the lead supervisory authority in a cross-border procedure.<br />
<br />
It is the role of a data protection authorities to properly define the main establishment of an entity according to objective criteria and subsequently determine the corresponding lead authority.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> The burden of proof falls on controllers and processors to demonstrate to the relevant supervisory authorities where the relevant processing decisions are taken and implemented. In this regard, however, the WP29 stressed that the GDPR does not permit ‘forum shopping’ and conclusions cannot be based solely on statements by the organisation under review. The supervisory authorities can rebut the controller’s analysis based on an objective examination of the relevant facts, requesting further information where required.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
==== Main Establishment of a Controller ====<br />
As a general rule, the main establishment of a controller should be the place of its central administration in the Union, or in other words, “''the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented''”.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 5 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> <br />
<br />
Recital 22 GDPR defines an establishment as ‘the effective and real exercise of activity through stable arrangements’. The legal form of such arrangements is irrelevant. According to the CJEU, an establishment depends on “''both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned.''”<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 29 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref> In this regard, already the presence of a single representative can constitute a stable arrangement when acting with a sufficient degree of stability and the necessary equipment to provide the specific services in the member states concerned.<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 30 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref><br />
<br />
If a controller’s main establishment is not the place of its central administration in the EU, it is necessary to determine the establishment based on where the effective and real exercise of main decisions on the purposes and means of processing take place.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 6 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> It should depend neither on the place of the processing nor the use of technical means and technologies for processing personal data or processing activities. Instead, to determine the controller’s main establishment the WP29 developed several guiding questions:<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
* Where are decisions about the purposes and means of the finally signed off’?<br />
* Where are decisions about business activities that involve data processing made?<br />
* Where does the power to have decisions implemented effectively lie?<br />
* Where is the Director with responsibility for cross border processing located?<br />
* Where is the controller or processor registered as a company?<br />
<br />
A supervisory authority may require from a controller to present additional information proving that its main establishment fulfils criteria envisaged in the GDPR.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
==== Main Establishment of a Processor ====<br />
Similarly to the rules for controllers, the main establishment of a processor located in multiple member states shall also be the place of its central administration. <br />
<br />
However, when there is no central administration in the Union, the rules applying to processors are formulated differently. In such cases, the main establishment of a processor is where the main processing activities take place in a Union’s establishment subject to the obligations under GDPR. This implies that the processing of personal data does not need to be carried out by the relevant establishment itself but only in in the context of its activities within the scope of the GDPR.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 235 (Oxford University Press 2020).</ref> The meaning of ‘the context of activities’ has already been specified by the CJEU, building on a broad definition of ‘establishment’ and clarifying that already the intention of a member state’s establishment to provide advertisement space for a third country undertaking is processing of personal data in the context of the Union’s establishment.<ref>CJEU, C-131/12, Google Spain, 13 May 2014, margin number 55 (available [https://curia.europa.eu/juris/liste.jsf?num=c-131/12 here]).</ref><br />
<br />
Following up on the CJEU judgement, the WP29 specified that EU law may apply to data processing activities of controllers or processors established outside the EU “''even if the local establishment is not actually taking any role in the data processing itself''”.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref> This reasoning can be based on an “''inextricable link''” between activities of an establishment in the EU and data processing by a non-EU controller or processor.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref><br />
<br />
==== Cases Involving Both the Controller and the Processor ====<br />
Recital 36 GDPR explains that “''in cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment''”. For further information determining the lead and concerned supervisory authorities in cross border contexts see the commentary on [[Article 56 GDPR]] and Article 4(22)-(23) GDPR.<br />
<br />
===(17) Representative===<br />
Representative are any legal or natural persons established in the union designated by a controller or processor, in accordance with [[Article 27 GDPR]]. They are not to be confused with the executive organ of the controller, but they serve as contact persons for data subjects and DPAs towards controllers and processors that are only outside the Union.<br />
<br />
In this regard, the notion of a representative becomes relevant in terms actors that are falling within the territorial scope of the GDPR without having any establishment within the union (see [[Article 3 GDPR|Article 3(2) GDPR]] and Recital 80 GDPR).<ref>According to which the GDPR applies to controllers outside the union processing personal data on subjects within the union ''“related to the offering of goods or services“'' or ''“the monitoring of their behaviour”''.</ref> In such cases, the representative becomes the addressee of enforcement proceedings in the event of non-compliance of the respective controller or processor.<ref>Recital 80 sentence 6 GDPR.</ref> This way, the representative prevents such actors only established in a third country, to become “infeasible” for data subjects and DPA’s within the union. Examples for representatives may therefore be designated employees, lawyers or whole firms established within the union.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 106 (C.H. Beck 2018).</ref><br />
<br />
The designation shall happen in a written form, containing the a mandate to represent the controller or processor under the obligations from the GDPR.<ref>Recital 80 sentences 3, 4 GDPR.</ref> At the same time. the designation of a representative does not exclude the responsibility or liability of the controller or processor themselves.<ref>Recital 80 sentence 5 GDPR.</ref> However, it remains unclear how entities not providing a representative may be tackled by the GDPR.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 204 (Nomos 2018).</ref> In this regard, especially public authorities are excluded from the designation of a representative.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 52 (C.H. Beck 2017).</ref><br />
<br />
===(18) Enterprise===<br />
An enterprise’ means any natural or legal person, partnerships or associations regularly engaged in economic activities. With this definition, the GDPR introduced a broad concept of the enterprise, irrespective of their size, legal form or interests pursued.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 127 (Carl Heymanns Verlag 2018).</ref><br />
<br />
An enterprise requires a regular engagement in economic activities, which means activities intended for a long-term and not only in an occasional manner.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 129 (Carl Heymanns Verlag 2018).</ref> Excluded from such activities are completely familiarly or personal activities (household activities, see also the commentary on [[Article 2 GDPR|Article 2(c) GDPR]]).<br />
<br />
While the English version of the GDPR distinguishes between the ‘enterprise’ and ‘undertaking’ the translation to other languages merged them into a single notion.<ref>For example, in German ("Unternehmen"), in French ("entreprise") and in Spanish ("empresa").]</ref> This causes controversy around the assessment of fines according to [[Article 83 GDPR]], which by English language refers to the term of undertaking in accordance with [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:12012E/TXT&from=EN#page=42 Articles 101, 102 TFEU] and thereby not to the definition of Article 4(18) GDPR.<ref>See Recital 150 sentence 3 GDPR.</ref> In any case, the notion is to be understood broadly when enforcing actions or determining fines on a particular entity (see commentary on [[Article 83 GDPR]]).<br />
<br />
===(19) Group of Undertakings===<br />
A group of undertakings consists of a leading (“controlling”) entity and one or more thereof dependent (“controlled”) entities.<ref>Recital 37 sentence 1 GDPR.</ref> The central characteristic for a group of undertakings is therefore, that one entity exerts a dominant influence over the others, for example be through ownership or financial participation.<ref>Recital 37 sentence 1 GDPR.</ref> This is usually the case between a holding company and their subsidiaries.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 58 (C.H. Beck 2017).</ref><br />
<br />
In this regard, the mere possibility of exercising control over the the other entity is sufficient, a real exercise of such control is not necessary.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 76 (ottoschmidt 2018).</ref> As long as one entity has the factual power to assert its will over the other entities,<ref>For example through to have personal data protection rules implemented; see Recital 37 sentence 1 GDPR.</ref> they qualify as group of undertakings.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 78 (ottoschmidt 2018).</ref><br />
<br />
Already two undertakings are sufficient to form a group.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 80 (ottoschmidt 2018).</ref> However, a controller giving mere instructions to a processor regarding the processing of personal data does not qualify as a group of undertakings.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 221 (Nomos 2018).</ref><br />
<br />
The classification as a group of undertakings becomes relevant for several provision across the GDPR, such as <br />
<br />
- The joint designation of a Data Protection Officer ([[Article 37 GDPR|Article 37(2) GDPR]]),<br />
<br />
- The formulation of binding corporate rules (Article 4(20) GDPR, [[Article 47 GDPR]]),<br />
<br />
- The data transfer for internal administrative purposes (Recital 48 GDPR in conjunction with [[Article 6 GDPR|Article 6(1)(f) GDPR]]),<ref>''Pötters/Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 70 (Deutscher Fachverlag 2018), as “''group privilege light''”.</ref> and<br />
<br />
- The determination of the main establishment (Article 4(16) GDPR, Recital 22 GDPR).<br />
<br />
However, the notion is to be distinguished from a ‘group of enterprises engaged in a joint economic activity’ also used throughout several provisions across the GDPR. These consist on separate and independent entities, which do not exercise control over each other<ref>''Feiler, Forgó,'' EU-DSGVO, Article 4 GDPR, margin number 49 (Verlag Österreich 2017).</ref> and therefore cannot designate a single Data Protection Officer or rely on internal administrative data transfers.<br />
<br />
===(20) Binding Corporate Rules===<br />
Binding corporate rules (short ‘BCR’) are ‘personal data protection policies’ formulated by controllers or processor established on the union for transfers of personal data outside the union within their group. In this regard, binding corporate rules constitute a legal basis to transfer personal data to third countries without an adequacy decision.<ref>See [[Article 46 GDPR|Article 46(2)(b) GDPR]].</ref> However, they only serve for for intra-corporate transfers, i.e. between entities of the concerned group of undertakings or enterprises. Transfers to entities outside of these groups are not covered by binding corporate rules.<br />
<br />
However, there are additional requirements regarding the content of such rules. According to Recital 110 GDPR, these must include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data. The rules are therefore to be previously approved by the national DPA concerned.<ref>[[Article 47 GDPR|Article 47(1) GDPR]].</ref> Furthermore, the Commission may specify the format and procedures for the exchange of information for these rules.<ref>[[Article 47 GDPR|Article 47(3) GDPR]].</ref> For more information on the requirements and the approval procedure of binding corporate rules, see therefore the commentary on [[Article 47 GDPR]].<br />
<br />
===(21) Supervisory Authority===<br />
Supervisory Authorities or ‘Data Protection Authorities’ (DPAs) are independent public authorities responsible for monitoring the application of the GDPR. The idea is, that such authorities protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union.<ref>See Article 51(1) GDPR, Recital 117 sentence 1 GDPR and [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(3) ECFR] “''Compliance with these rules shall be subject to control by an independent authority''”.</ref><br />
<br />
Member states can decide to provide only one or multiple DPAs, to reflect their constitutional, organisational and administrative structure.<ref>Recital 117 GDPR.</ref> In this regard, DPAs must be public authorities<ref>Private actors cannot serve as DPAs, see ''Polenz'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 21 GDPR, margin number 1 (NOMOS 2019).</ref> established on the national level.<ref>The European Data Protection Supervisor (EDPS) is therefore not a DPA in terms of the GDPR, see [https://gdprhub.eu/Article%2051%20GDPR Article 51(1) GDPR] and [https://gdprhub.eu/Article%2068%20GDPR Article 68(3) GDPR] “''The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor''”. It is adhering to its own [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018R1725&from=en Regulation (EU) 2018/1725], functionally overseeing and advising the European Institutions for their compliance with data protection rules.</ref> And while each supervisory authority should be competent on the territory of its own member state,<ref>Recital 112 sentence 1 GDPR.</ref> they shall cooperate, mutually assisting each other and conduct joint operations with to foster a consistent application of the GDPR in cross border contexts (see [[Article 60 GDPR|Articles 60-63 GDPR]] and Recital 123 GDPR).<br />
<br />
In this regard, DPAs may act independent (see [[Article 52 GDPR]]) and shall be provided with several competencies ([[Article 55 GDPR|Articles 55, 56 GDPR]]), Tasks ([[Article 57 GDPR]]) and Powers ([[Article 58 GDPR]]). For further information, see the particular commentary to the above mentioned articles.<br />
<br />
===(22) Supervisory authority concerned===<br />
Qualifying a supervisory authority as ‘concerned’ can result out of three situations as laid out by Article 4(22) GDPR:<br />
<br />
* For a controller or processor, when it is established in a member state of a supervisory authority,<br />
* for a data subject, when it is residing in the member state of a supervisory authority (likely) substantially affected by the processing of personal data, or<br />
* where a complaint has been lodged with that supervisory authority.<br />
<br />
==== Controller or Processor Establishment ====<br />
The DPA is concerned when a controller or processor is established in its jurisdiction. This implies any effective and real exercise of activity through stable arrangements,<ref>See Recital 22 sentence 2 GDPR.</ref> independent of the form of such arrangements of an actual branch or subsidiary within the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 275 (Oxford University Press 2020).</ref> This broad understanding is fostered by the EUCJ, including any real and effective activity exercised through stable agreements independently of their formalistic approach as an establishment.<ref>EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.</ref><br />
<br />
==== (Likely) Substantially Affection of the Data Subject ====<br />
A substantial affection, although not being further specified from the GDPR, indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 276 (Oxford University Press 2020).</ref> On the contrary, already the likelihood of such is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.<ref>For a list of relevant criteria, see ''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).</ref> In any case, this requires the data subject to reside in the member state of the DPA and therefore to have at least stable links to the state as its permanent habitual center.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).</ref> <br />
<br />
==== Filing a Complaint with the Supervisory Authority ====<br />
Filing a complaint with a particular supervisory authority qualifies them as a ‘concerned’ authority. Since complaints can also be fined with DPAs different from where the data subject resides,<ref>See Recital 124 sentence 3 GDPR.</ref> the supervisory authority can even be concerned without the data subject having a residence within the EU or any (likely) substantial affection. For further information on filing a complaint with a supervisory authority, see the commentary on [[Article 77 GDPR]].<br />
<br />
===(23) Cross-Border Processing===<br />
Cross border processing means any processing taking place in the<br />
<br />
(a) in the context of the activities of establishments of a controller or processor in multiple member states, or<br />
<br />
(b) in the context of a single establishment of a controller or processor in the union with (likely) substantially affects to data subjects in more than one member state.<br />
<br />
Both conditions are therefore attached to the notion of ‘establishment’, whereas (a) requires the controller or processor to have multiple establishments within different member states of the union, while (b) only requires the controller or processor to have an establishment within a single member state of the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 282 (Oxford University Press 2020).</ref> In both cases, however, the controller or processor needs to be established in at least one member state.<ref>''Polenz'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 23 GDPR, margin number 1 (NOMOS 2019).</ref><br />
<br />
==== Processing in the Context of Establishments within Multiple Member States ====<br />
The notion of establishment is again to be interpreded broadly. It is any effective and real exercise of activities through stable arrangements,<ref>See Recital 22 sentence 2 GDPR.</ref> independent of the formal declarations as a branch or subsidiary within the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 282 (Oxford University Press 2020); and again EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.</ref> Furthermore, the processing is not required to be carried out within the establishment itself, but can also happen in the context of its activities. If the establishment in the EU is not directly processing the personal data, an extricable link between the activities of the establishment and the processing is already sufficient.<ref>Google, EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 53, 56; EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 25.</ref> Only remote links to the processing in question may not involve another entity and therefore not form a ‘cross border processing’.<ref>For example, some commercial activity may be too far removed from the processing of personal data by an entity to bring the data processing non-EU entity within the scope of EU data protection law, see ''EDPB'', Guidelines 3/2018 on the territorial scope of the GDPR, 12 November 2019, p. 7 f. (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref><br />
<br />
==== Processing (likely) to Substantially Affect Data Subject in Multiple Member States ====<br />
A substantial affection, again indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 284 (Oxford University Press 2020).</ref> In this regard, already the likelihood of such is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.<ref>For a list of relevant criteria, see ''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 285 (Oxford University Press 2020).</ref><br />
<br />
The evaluation of across border processing is relevant for determining the competent lead supervisory authority in situations where the processing would concern such of multiple member states. In this regard, it contributes to the ‘one-stop-shop’-principle, which is further described within the commentary of [[Article 56 GDPR]].<br />
<br />
===(24) Relevant and Reasoned Objection===<br />
The ‘relevant and reasoned objection’ refers to situations, in which a supervisory authority concerned<ref>See Article 4(22) GDPR.</ref> objects to a decision draft provided by a lead supervisory authority<ref>See [[Article 56 GDPR]].</ref> in terms of a cross-border-processing context.<ref>See Article 4(23) GDPR.</ref> When such objection is exercised by the supervisory authorities concerned, the lead supervisory authority can either follow the objection or submit the matter to the EDPB (see [[Article 60 GDPR|Article 60(4) GDPR]], [[Article 65 GDPR|Article 65(4) GDPR]]).<br />
<br />
In order to not overload the EDPB with submissions that are not well founded or based on weak arguments delaying decisions,<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 289 f. (Oxford University Press 2020).</ref> Article 4(24) GDPR introduces a threshold to such objections being ‘relevant’ and ‘reasoned’. In this regard, they have to show an infringement or compliance of the GDPR in opposition to the lead authorities decision draft clearly demonstrating the significance of the risks posed by the draft decision.<ref>Especially regarding the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union, see Article 4(24) GDPR.</ref><br />
<br />
An objection is therefore only relevant and reasoned, when it refers to the concrete draft of a decision and does not only contain concerns of general nature.<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 4 24 GDPR, margin number 1 (C.H. Beck 2020).</ref> This requires to provide the exact legal reasons for the objection,<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 4 24 GDPR, margin number 1 (C.H. Beck 2020).</ref> clearly stating the the non-negligible risks for the data subjects or the free flow of personal data entailed.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 290 (Oxford University Press 2020).</ref><br />
<br />
The notion of relevant and reasoned objection is to be further developed by the EDPB.<ref>See Recital 124 Sentence 4 GDPR and EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-092020-relevant-and-reasoned-objection-under_en here]).</ref> For further information on the EDPB’s criteria and procedure on elaborating a relevant and reasoned objection, check the commentary on [[Article 60 GDPR|Articles 60, 65 GDPR]].<br />
<br />
===(25) Information Society Service ===<br />
For the definition on ‘information society service’ the GDPR refers to Article 1(1)(b) of [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN#page=3 Directive (EU) 2015/1535], on a procedure for the provision of information in the field of technical regulations and of rules on Information Society services. Hereafter, such services are any “normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient”.<ref>Article 1(1)(b) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref><br />
<br />
‘At a distance’ means that the service is provided without the parties being simultaneously present.<ref>Article 1(1)(b)(i) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> Thus, even when using electronic means, services provided within the physical presence of the recipient to the provider are not falling within this definition.<ref>For example, surgeries making use of electronic equipment, electronic catalogues or ticket reservations within a shop, electronic video arcade games, see Annex I(1.) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref><br />
<br />
‘By electronic means’ requires, that the service is entirely sent and received via electronic equipment for the processing and storage of data, for example through being transmitted by wire, radio, optical or other electromagnetic means.<ref>Article 1(1)(b)(ii) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> And while offline services are excluded from these services,<ref>See also see Annex I(2.) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> composite services such as the selling of goods, advertising and gaming do qualify as such.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 298 (Oxford University Press 2020); and WP29, Guidelines on consent under Regulation 2016/679, WP259 rev.01, 10 April 2018, p. 24 (available [https://ec.europa.eu/newsroom/article29/redirection/document/51030 here]).</ref><br />
<br />
An ‘individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.<ref>Article 1(1)(b)(iii) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> Services transmitting data to an unlimited number of individuals without their individual demand, such as radio broadcasting, television, teletext, are therefore not covered.<ref>See Annex I(3.) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> On the contrary, video-on-demand or pay-per-view services do qualify as information society services.<ref>EUCJ, C-89/04, Mediakabel, 2 June 2005, margin numbers 38-39 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-89/04 here]).</ref><br />
<br />
Accordingly, most online services encountered nowadays fulfill the criteria of an information society service. Typical example are:<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 301 (Oxford University Press 2020).</ref><br />
<br />
* Online legal or health services<br />
* Online libraries or newspapers<br />
* Online shopping and booking services<br />
* Online media-platforms or video games<br />
* Online search engines and web browsers<br />
<br />
The classification as information society service becomes relevant in several contexts of the GDPR, such as its material scope (see [[Article 2 GDPR|Article 2(4) GDPR]]<ref>Especially in terms of liability rules coming from Articles 12 to 15 of the [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32000L0031&from=EN#page=12 eCommerce-Directive 2000/31/EC]; see also Recital 21 GDPR]</ref>), children’s consent (see [[Article 8 GDPR|Article 8(1) GDPR]]), the right to erasure (see [[Article 17 GDPR|Article 17(1)(f) GDPR]]) or the right to object (see [[Article 21 GDPR|Article 21(5) GDPR]]). For further information in this context, see the commentary in the relevant provisions.<br />
<br />
===(26) International Organisation===<br />
An ‘international organisation’ means any organisation or subordinate bodies of such, which are governed either by public international law or set up by an agreement between two or more countries.<br />
<br />
While there is no universally accepted or further specified definition of the term coming from the GDPR, the overall definition from the Vienna Convention on the Law of Treaties from 1969<ref>Available [https://legal.un.org/ilc/texts/instruments/english/conventions/1_1_1969.pdf here].</ref> serves as a source of inspiration for interpreting EU law according to the CJEU.<ref>CJEU, C-386/08, Brita, 25 February 2010, margin number 42 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=72406&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=2557504 here]); see also ''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 305 (Oxford University Press 2020).</ref> However, Article 2(1)(i) of the [https://legal.un.org/ilc/texts/instruments/english/conventions/1_1_1969.pdf Convention] defines international organisation as ‘intergovernmental organization’, thereby failing to deliver a more specific definition. Moreover, since also both approaches to reach an international organization laid out by the GDPR, either through public international law or multilateral agreements, are not further deliniated, a way broader and flexible approach to the term is suggested.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 305 (Oxford University Press 2020).</ref><br />
<br />
In this regard, most organizations, such as the United Nations (UN), the International Telecommunications Union (ITU), the World Trade Organization (WTO as well as Inter- and Europol fall under the term.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p.306 (Oxford University Press 2020).</ref> However, these examples are not exhaustive and can be infinitely extended. Only NGO’s, which are usually non-governmental organisations established as private initiatives and governed by domestic member state law, may not qualify as such.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 307 (Oxford University Press 2020).</ref><br />
<br />
The classification as international organization is relevant in terms of the additional rules placed on data transfers, according to [[Article 44 GDPR|Articles 44-50 GDPR]]. While the Data Protection Directive only regulated data flows to third party countries, the GDPR now extends the applicability of these rules to international organizations as as well.<ref>See ''Schröder'', in Kühling, Buchner, DS-GVO BDSG, Article 4 26 GDPR, margin number 2 (C.H. Beck 2020).</ref> For more information on the principles and additional safeguards placed on such transfers, see the commentary on [[Article 45 GDPR|Articles 45-49 GDPR]].<br />
<br />
=== Further Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The regulation contains other articles that directly or indirectly deliver definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information check the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20053Article 4 GDPR2021-09-23T14:50:51Z<p>JS: Uploading Article 4(26) GDPR</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
* '''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).</ref><br />
* '''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
* '''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
* '''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
* '''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
* '''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
* '''Alteration''' (changes to the form or content of data), such as corrections, pseudonymisation or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
* '''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
* '''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
* '''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
* '''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company. <br />
* '''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
* '''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
* '''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
* '''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
* '''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
* '''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
* '''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> <br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of Processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref><br />
<br />
Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.<ref>Recital 30 sentence 1 GDPR.</ref> as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore<br />
<br />
* Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref><br />
* Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref><br />
* Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref><br />
<br />
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR, such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref><br />
<br />
===(5) Pseudonymisation===<br />
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.<br />
<br />
Examples for the pseudonymisation of personal data include:<br />
<br />
* Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref><br />
* Encryption or hashing of data<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref><br />
* Pixelation of video materials<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref> <br />
<br />
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> And while some scholars argue for a ‘subjective anonymisation’,<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).</ref> the party undertaking the pseudonymisation is typically able to reassign the data subject.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).</ref><br />
<br />
In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref><br />
<br />
* Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]])<br />
* Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]])<br />
* Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]])<br />
* Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]])<br />
* Implementing Data Protection by Design and Default ([[Article 25 GDPR]])<br />
<br />
===(6) Filing System===<br />
The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]). It is complementing the approach of technological neutrality followed by the GDPR.<br />
<br />
A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> This is already satisfied, when personal data on a particular person is retrievable.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'', C-25/17, Johovan Todistajat, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref><br />
<br />
The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref><br />
<br />
Other examples are:<br />
<br />
* Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Saved letter-correspondence with customers<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Covid-19-Guest-Lists sorted by date<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref><br />
<br />
===(7) Controller===<br />
The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> In this regard, it the controller is to be distinguished from the processor, which is explained in further detail in Article 4(8) GDPR.<br />
<br />
The responsibilities of the controller are defined in [[Article 24 GDPR]]. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR.<br />
<br />
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co controllership’, the entities have to determine their respective responsibilities for the processing within an agreement, according to [[Article 26 GDPR]]. Important, however, is the factual influence on the processing of the personal data,<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> see also Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref><br />
<br />
For example, a joint controllership is assumed between<br />
<br />
* Search-Engines-Operators and the websites of which information is structured, presented and complemented with advertisements within search results<ref>''CJEU'', C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 here]), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.</ref><br />
* Facebook and Administrators of Fan Pages on its social network<ref>''CJEU'', C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available [https://curia.europa.eu/juris/liste.jsf?num=C-210/16 here]), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.</ref><br />
* Facebook and Websites that integrated a ‘Like Button’<ref>''CJEU'', C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-40/17 here]), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.</ref><br />
<br />
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller according to [[Article 26 GDPR]]. For further information see the commentary on that provision.<br />
<br />
===(8) Processor===<br />
The processor is the next entity facing obligations from several provisions across the GDPR, complementing the concept of the controller explained in Article 4(7) GDPR. Any natural, legal person, public authority, agency or body that processes personal data on behalf of the controller qualifies as a processor.<br />
<br />
The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref> Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref><br />
<br />
Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> developed some examples as references for controller-processor relationships:<br />
<br />
* Outsourcing of Callcenters for Customer Communications<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Outsourcing of Mail Services<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Cloud Hosting and Grid Computing<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]) and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).]</ref><br />
* A Separated Entity Specialized in Data Processing within a Group of Companies<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref><br />
<br />
When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of special relevance is [[Article 28 GDPR]], that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on [[Article 28 GDPR|Article 28(3) GDPR]].<br />
<br />
A special form of the processor is the ‘sub processor’ engaged by the processor, which requires another processing agreement and authorisation through the controller. For further information see the commentary on [[Article 28 GDPR|Article 28(2),(4) GDPR]].<br />
<br />
===(9) Recipient===<br />
Another entity defined in the GDPR is the recipient. The notion of the recipient is kept very broadly, i.e. any party which personal data is disclosed to, independently of whether it is a third party or not. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]).</ref><br />
<br />
The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,<ref>More precise, [[Article 13 GDPR|Article 13(1)(e) GDPR]], [[Article 14 GDPR|Article 14(1)(e) GDPR]], [[Article 15 GDPR|Article 15(1)(c) GDPR]].</ref> the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind is, that the controller whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).</ref><br />
<br />
In this regard, it is discussed, whether a processor is also a recipient. One the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.<ref>See Article 4(8) GDPR and Article 4(10) GDPR.</ref> However, the concept of the recipient is completely independent of that of the third-party.<ref>See Article 4(9) GDPR, “whether a third party or not“.</ref> With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, [[Article 28 GDPR]] does not relieve the controller to inform the data subjects about its processors as recipients according to [[Article 13 GDPR|Article 13 to 15 GDPR]].<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).</ref><br />
<br />
Not considered a recipient are, on the other hand, particular units within a company, such as the staff council or dependent establishments of the controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).</ref> The wording of the provision suggests that the entity requires a particular degree of sovereignty in order to count as recipient.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 57 (C.H. Beck 2018) and ''Regenhardt'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 156 (Nomos 2018).</ref> Units that are inseparable part of the internal structure of the controller are therefore not to classify as recipients.<br />
<br />
Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref><br />
<br />
===(10) Third Party===<br />
The concept of a third party complements the previously defined entities. It constitutes a negative delimitation, as any person different from the data subject, controller, processor or any other person authorized to process personal data by the controller. Its notion becomes mainly relevant in terms of evaluating of interests, such as in Article 6 (1)(f) GDPR.<ref>See also [[Article 13 GDPR|Article 13(1)(d) GDPR]], [[Article 14 GDPR|Article 14(2)(b) GDPR]].</ref><br />
<br />
Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).</ref> Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).</ref> Similarly, internal staff of the controller is not a third party, unless the employee uses personal data for own purposes outside of the employment context.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).</ref> In this regard, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).</ref><br />
<br />
===(11) Consent===<br />
Consent is the first legal basis mentioned in Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data. It can be given either by a written, electronic or an oral statement.<ref>Recital 32 sentence 1 GDPR.</ref> Examples are ticking a box or actively choosing technical settings that indicate the data subject’s acceptance of the proposed processing of his or her personal data.<ref>Recital 32 sentence 2 GDPR.</ref><br />
<br />
The notion of consent within the GDPR is different from its constitutional equivalent in [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(2) ECFR]. Consent in the GDPR is neither a waiver of fundamental rights, nor a justification for interferences with fundamental rights.<ref>''Klement'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 7 GDPR, margin number 18 (NOMOS 2019).</ref> Rather, it should be seen as an exception from the general prohibition of processing of personal data under [[Article 6 GDPR|Article 6(1) GDPR]].<br />
<br />
To ensure that consent is not only a legal fiction, it requires additional and cumulative criteria, regulated within its definition and complemented through [[Article 7 GDPR]]. In order for consent to be valid, it has to be freely given, informed, specific and unambiguous. It is the controller’s duty to demonstrate that the data subject has given such consent to the processing of his or her personal data.<ref>[[Article 7 GDPR|Article 7(1) GDPR]], Recital 42 sentence 1 GDPR.</ref><br />
<br />
==== Freely Given ====<br />
Consent is only freely given, where there is no clear imbalance between the data subject and the controller.<ref>Recital 43 sentence 1 GDPR.</ref> Also, it shall not be considered freely given when it is conditional on the processing of personal data that is not necessary for the performance of the service.<ref>Recital 43 sentence 2 GDPR.</ref><br />
<br />
Examples where asymmetries of power and bundled consent usually occur are:<br />
<br />
* Relationships with Public Authorities<ref>Recital 43 sentence 1 GDPR, and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 98 (Carl Heymanns Verlag 2018).</ref><br />
* Employer-Employee-Relationships<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 71 (C.H. Beck 2018).</ref><br />
* Use of Major Digital Services with limited alternatives<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 73, 76 (C.H. Beck 2018).</ref><br />
<br />
==== Informed ====<br />
Consent needs to be provided in an intelligible and easily accessible form, using clear and plain language. Data Subjects must be able to understand the circumstances of processing of their personal data to estimate the consequences and implications of giving their consent.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin numbers 2, 5 (C.H. Beck 2020).</ref> According to recent case-law of the Court of Justice, the information shall also be “digested” by the data subject.<ref>EUCJ, C‑61/19, Orange România, 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/liste.jsf?num=C-61/19&language=en here]).</ref> This seems to give information a more substantive and functional role. Moreover, the information has to be presented in a manner which is clearly distinguishable from other matters, like terms and conditions. For more information, see the commentary on [[Article 7 GDPR|Article 7(2) GDPR]].<br />
<br />
==== Specific ====<br />
In accordance with the principle of transparency from [[Article 5 GDPR|Article 5(1)(b) GDPR]] consent must be provided for specific and legitimate purposes. While consent to the processing of personal data can be given for one or multiple purposes at the same time,<ref>Recital 32 sentences 5, 6 GDPR.</ref> intentions and limitations must be formulated as precisely as possible. A blanket consent to all kinds of purposes is therefore not valid. For more information, see the commentary on [[Article 6 GDPR|Article 6(1)(a) GDPR]].<br />
<br />
==== Unambiguous ====<br />
Consent must be given unambiguously in the form of clear and affirmative action. Silence, pre-ticked boxes or inactivity should not constitute consent.<ref>Recital 32 sentence 3 GDPR.</ref> This has been stressed through recent case law by the Court of Justice in terms of cookies, where a pre-checked checkbox which the user must deselect to refuse his or her consent cannot demonstrate active behaviour.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/1 here]).</ref><br />
<br />
==== Withdrawal ====<br />
Consent can be withdrawn at any time. Withdrawing of consent shall be as easy as it was giving it. The controller has to inform the data subject on the possibility to withdraw consent prior to the processing. For further information, see the commentary on [[Article 7 GDPR|Article 7(3) GDPR]].<br />
<br />
==== Capacity ====<br />
Generally, consent must be given directly by the data subject or a nominated representative.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).</ref> In the case of minors, the ability to consent is based on the individual cognitive faculty of the data subject.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin number 67 (C.H. Beck 2020); ''Ernst'', Die Einwilligung nach der Datenschutzgrundverordnung, in Zeitschrift für Datenschutz, 03/07, (2017), p. 111.</ref> In the online context, [[Article 8 GDPR|Article 8(1) GDPR]] provides a minimum age of 16, while member states may not reduce that age limit to below 13.<br />
<br />
==== Explicit Consent ====<br />
The more qualified form of ‘explicit’ consent is required within several other provisions across the GDPR. For more detailed information, check out the commentary on [[Article 9 GDPR|Article 9(2)(a) GDPR]], [[Article 22 GDPR|Article 22(2)(c) GDPR]] and [[Article 49 GDPR|Article 49(1) GDPR]].<br />
<br />
===(12) Personal Data Breach ===<br />
A ‘personal data breach’ can be considered as any security incident regarding personal data. In this regard, the breach has to concern the processing personal data (for ‘personal data’ see Article 4(1) GDPR, for ‘processing’ Article 4(2) GDPR). Although the transmission and storage of data are explicitly highlighted, any type of processing the concerned data is sufficient.<ref>Wording: “otherwise processed”.</ref><br />
<br />
Moreover, it requires a security breach within that processing. Such are any failures of technical or organizational safeguards implemented by the controller according to [[Article 32 GDPR]]. These failures can either be caused through targeted attacks from other parties or through mishandling of personal data through the controller or persons instructed, such as its employees.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).</ref> Some examples for security breaches are:<br />
<br />
* Hacking-Attacks on systems involving personal data,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Missing access protection to data storages or buildings,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Sending data to unintended recipients,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Employees unlawfully distributing data to third parties,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 180 (Nomos 2018).</ref><br />
* Accidentally publishing or leaking data on website,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
* Loss of physical data carriers,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Destruction of data storing infrastructure,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unrestorable encryption through Ransomware,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unlocked storage of employee files.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
<br />
As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
<br />
The notion of a personal data breach becomes especially relevant in terms of notification and communication obligations for controllers to data subjects and DPAs according to [[Article 33 GDPR|Articles 33, 34 GDPR]]. In this regard, the EDPB can issue guidelines, recommendations and best practices for handling personal data breaches, [[Article 70 GDPR|Article 70(1)(g)(h) GDPR]].<ref>See EDPB, Guidelines 01/2021 on Examples regarding Data Breach Notification, 14 January 2021 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf here]).</ref><br />
<br />
===(13) Genetic Data===<br />
‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions the growth, metabolism, appearance, diseases or alike, both already existent or entering in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin numbers 106, 108 (Carl Heymanns Verlag 2018).</ref> Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analyses.<br />
<br />
The classification as genetic data is becoming relevant in terms of [[Article 9 GDPR|Article 9(1) GDPR]], that only allows its processing under strict requirements.<ref>Additionally, member states may maintain or introduce further conditions and limitations for the processing of genetic data, [[Article 9 GDPR|Article 9(4) GDPR]].</ref> This is due to the sensitive character of such data, that allows a unique identification of the data subject and at the same time reveals personal health data<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017).</ref> on them and biological relatives.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017); ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 182 (Nomos 2018).</ref> Especially in terms of heritage diseases, genetic data therefore carries a high risk of abuse in terms of employment and insurances.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 96 (C.H. Beck 2018).</ref><br />
<br />
===(14) Biometric Data===<br />
‘Biometric data’ means data referring to the physical, physiological and behavioural characteristics of a natural person obtained from specific technical processing allowing for an unique identification. While this generally includes any means to analyse and measure the characteristics of humans<ref>Usually through the creation of referential patterns that are than compared with the data subject later for unique identification, see ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 183 (Nomos 2018).</ref> the technical processing and unique identification requirements place higher burdens.<br />
<br />
The definition itself gives facial images and fingerprints,<ref>Also called 'Dactyloscopic data'.</ref> as examples for biometric data. However, the requirement for specific technical processing, ensures that simple pictures or even passport photographs shall not be considered as such.<ref>Recital 51 GDPR, “''The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person''”.</ref> It is the further processing, for example through the application of facial recognition software, that renders the extracted patterns as biometric data. In this regard, also IRIS Scanners, DNS-Comparisons, voice or gait pattern analyses,<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> as well as typing patterns or even handwritten signatures<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 111 (Carl Heymanns Verlag 2018).</ref> may be considered as biometric data.<br />
<br />
Other data, that does not allow an unique identification, such as the body size or blood type, are not biometric data.<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> However, these could then fall under the definition of ‘health data’ that offers similar protection like for biometric data, according to [[Article 9 GDPR|Article 9(1) GDPR]].<br />
<br />
===(15) Data Concerning Health===<br />
‘Data concerning health’, or simply ‘health data’, means any data related to the physical or mental health of a natural person, especially the procurement of health care services revealing such information. According to Recital 35 GDPR, these include all data referring to the health status of the data subject from the past, current or future. In this regard, any information on diseases, risks, disabilities, their treatment and medical histories of a particular natural person explicitly qualify as health data.<ref>Recital 35 sentence 2 GDPR.</ref><br />
<br />
Other examples for health data are information about:<br />
<br />
* Addictions to alcohol, drugs or medications as well as the participation in self-help groups<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
* Hospitalizations, sick notes and sick payments<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
* Information the physical or mental invalidity to work<ref>''Petri'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 15 GDPR, margin number 5 (NOMOS 2019).</ref><br />
* Data from health- or fitness apps on eating or movement patterns, for example from wearables and smartphones<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 118 (Carl Heymanns Verlag 2018).</ref><br />
<br />
The notion of health data is therefore broader than ‘medicinal data’.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 59 (Deutscher Fachverlag 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018).</ref> Furthermore, it strongly overlaps with the notions of genetic and biometric data.<ref>See Recital 35, “''Personal data concerning health should include […] information derived from the testing or examination of one’s body, substances, such as genetic and biological samples''”.</ref> in order to allow a seamless high protection within the scope of [[Article 9 GDPR]].<ref>However, in some cases (e.g. the public health sector) sensitive data can be necessary to be processed without the data subjects consent, see Recital 54 GDPR.</ref> For further information, check the commentary on [[Article 9 GDPR]].<br />
<br />
===(16) Main Establishment===<br />
If a controller or a processor have establishments in more than one member states, identifying its ‘main establishment’ is the first step to recognize the lead supervisory authority in a cross-border procedure.<br />
<br />
It is the role of a data protection authorities to properly define the main establishment of an entity according to objective criteria and subsequently determine the corresponding lead authority.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> The burden of proof falls on controllers and processors to demonstrate to the relevant supervisory authorities where the relevant processing decisions are taken and implemented. In this regard, however, the WP29 stressed that the GDPR does not permit ‘forum shopping’ and conclusions cannot be based solely on statements by the organisation under review. The supervisory authorities can rebut the controller’s analysis based on an objective examination of the relevant facts, requesting further information where required.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
==== Main Establishment of a Controller ====<br />
As a general rule, the main establishment of a controller should be the place of its central administration in the Union, or in other words, “''the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented''”.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 5 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> <br />
<br />
Recital 22 GDPR defines an establishment as ‘the effective and real exercise of activity through stable arrangements’. The legal form of such arrangements is irrelevant. According to the CJEU, an establishment depends on “''both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned.''”<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 29 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref> In this regard, already the presence of a single representative can constitute a stable arrangement when acting with a sufficient degree of stability and the necessary equipment to provide the specific services in the member states concerned.<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 30 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref><br />
<br />
If a controller’s main establishment is not the place of its central administration in the EU, it is necessary to determine the establishment based on where the effective and real exercise of main decisions on the purposes and means of processing take place.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 6 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> It should depend neither on the place of the processing nor the use of technical means and technologies for processing personal data or processing activities. Instead, to determine the controller’s main establishment the WP29 developed several guiding questions:<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
* Where are decisions about the purposes and means of the finally signed off’?<br />
* Where are decisions about business activities that involve data processing made?<br />
* Where does the power to have decisions implemented effectively lie?<br />
* Where is the Director with responsibility for cross border processing located?<br />
* Where is the controller or processor registered as a company?<br />
<br />
A supervisory authority may require from a controller to present additional information proving that its main establishment fulfils criteria envisaged in the GDPR.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
==== Main Establishment of a Processor ====<br />
Similarly to the rules for controllers, the main establishment of a processor located in multiple member states shall also be the place of its central administration. <br />
<br />
However, when there is no central administration in the Union, the rules applying to processors are formulated differently. In such cases, the main establishment of a processor is where the main processing activities take place in a Union’s establishment subject to the obligations under GDPR. This implies that the processing of personal data does not need to be carried out by the relevant establishment itself but only in in the context of its activities within the scope of the GDPR.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 235 (Oxford University Press 2020).</ref> The meaning of ‘the context of activities’ has already been specified by the CJEU, building on a broad definition of ‘establishment’ and clarifying that already the intention of a member state’s establishment to provide advertisement space for a third country undertaking is processing of personal data in the context of the Union’s establishment.<ref>CJEU, C-131/12, Google Spain, 13 May 2014, margin number 55 (available [https://curia.europa.eu/juris/liste.jsf?num=c-131/12 here]).</ref><br />
<br />
Following up on the CJEU judgement, the WP29 specified that EU law may apply to data processing activities of controllers or processors established outside the EU “''even if the local establishment is not actually taking any role in the data processing itself''”.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref> This reasoning can be based on an “''inextricable link''” between activities of an establishment in the EU and data processing by a non-EU controller or processor.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref><br />
<br />
==== Cases Involving Both the Controller and the Processor ====<br />
Recital 36 GDPR explains that “''in cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment''”. For further information determining the lead and concerned supervisory authorities in cross border contexts see the commentary on [[Article 56 GDPR]] and Article 4(22)-(23) GDPR.<br />
<br />
===(17) Representative===<br />
Representative are any legal or natural persons established in the union designated by a controller or processor, in accordance with [[Article 27 GDPR]]. They are not to be confused with the executive organ of the controller, but they serve as contact persons for data subjects and DPAs towards controllers and processors that are only outside the Union.<br />
<br />
In this regard, the notion of a representative becomes relevant in terms actors that are falling within the territorial scope of the GDPR without having any establishment within the union (see [[Article 3 GDPR|Article 3(2) GDPR]] and Recital 80 GDPR).<ref>According to which the GDPR applies to controllers outside the union processing personal data on subjects within the union ''“related to the offering of goods or services“'' or ''“the monitoring of their behaviour”''.</ref> In such cases, the representative becomes the addressee of enforcement proceedings in the event of non-compliance of the respective controller or processor.<ref>Recital 80 sentence 6 GDPR.</ref> This way, the representative prevents such actors only established in a third country, to become “infeasible” for data subjects and DPA’s within the union. Examples for representatives may therefore be designated employees, lawyers or whole firms established within the union.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 106 (C.H. Beck 2018).</ref><br />
<br />
The designation shall happen in a written form, containing the a mandate to represent the controller or processor under the obligations from the GDPR.<ref>Recital 80 sentences 3, 4 GDPR.</ref> At the same time. the designation of a representative does not exclude the responsibility or liability of the controller or processor themselves.<ref>Recital 80 sentence 5 GDPR.</ref> However, it remains unclear how entities not providing a representative may be tackled by the GDPR.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 204 (Nomos 2018).</ref> In this regard, especially public authorities are excluded from the designation of a representative.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 52 (C.H. Beck 2017).</ref><br />
<br />
===(18) Enterprise===<br />
An enterprise’ means any natural or legal person, partnerships or associations regularly engaged in economic activities. With this definition, the GDPR introduced a broad concept of the enterprise, irrespective of their size, legal form or interests pursued.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 127 (Carl Heymanns Verlag 2018).</ref><br />
<br />
An enterprise requires a regular engagement in economic activities, which means activities intended for a long-term and not only in an occasional manner.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 129 (Carl Heymanns Verlag 2018).</ref> Excluded from such activities are completely familiarly or personal activities (household activities, see also the commentary on [[Article 2 GDPR|Article 2(c) GDPR]]).<br />
<br />
While the English version of the GDPR distinguishes between the ‘enterprise’ and ‘undertaking’ the translation to other languages merged them into a single notion.<ref>For example, in German ("Unternehmen"), in French ("entreprise") and in Spanish ("empresa").]</ref> This causes controversy around the assessment of fines according to [[Article 83 GDPR]], which by English language refers to the term of undertaking in accordance with [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:12012E/TXT&from=EN#page=42 Articles 101, 102 TFEU] and thereby not to the definition of Article 4(18) GDPR.<ref>See Recital 150 sentence 3 GDPR.</ref> In any case, the notion is to be understood broadly when enforcing actions or determining fines on a particular entity (see commentary on [[Article 83 GDPR]]).<br />
<br />
===(19) Group of Undertakings===<br />
A group of undertakings consists of a leading (“controlling”) entity and one or more thereof dependent (“controlled”) entities.<ref>Recital 37 sentence 1 GDPR.</ref> The central characteristic for a group of undertakings is therefore, that one entity exerts a dominant influence over the others, for example be through ownership or financial participation.<ref>Recital 37 sentence 1 GDPR.</ref> This is usually the case between a holding company and their subsidiaries.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 58 (C.H. Beck 2017).</ref><br />
<br />
In this regard, the mere possibility of exercising control over the the other entity is sufficient, a real exercise of such control is not necessary.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 76 (ottoschmidt 2018).</ref> As long as one entity has the factual power to assert its will over the other entities,<ref>For example through to have personal data protection rules implemented; see Recital 37 sentence 1 GDPR.</ref> they qualify as group of undertakings.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 78 (ottoschmidt 2018).</ref><br />
<br />
Already two undertakings are sufficient to form a group.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 80 (ottoschmidt 2018).</ref> However, a controller giving mere instructions to a processor regarding the processing of personal data does not qualify as a group of undertakings.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 221 (Nomos 2018).</ref><br />
<br />
The classification as a group of undertakings becomes relevant for several provision across the GDPR, such as <br />
<br />
- The joint designation of a Data Protection Officer ([[Article 37 GDPR|Article 37(2) GDPR]]),<br />
<br />
- The formulation of binding corporate rules (Article 4(20) GDPR, [[Article 47 GDPR]]),<br />
<br />
- The data transfer for internal administrative purposes (Recital 48 GDPR in conjunction with [[Article 6 GDPR|Article 6(1)(f) GDPR]]),<ref>''Pötters/Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 70 (Deutscher Fachverlag 2018), as “''group privilege light''”.</ref> and<br />
<br />
- The determination of the main establishment (Article 4(16) GDPR, Recital 22 GDPR).<br />
<br />
However, the notion is to be distinguished from a ‘group of enterprises engaged in a joint economic activity’ also used throughout several provisions across the GDPR. These consist on separate and independent entities, which do not exercise control over each other<ref>''Feiler, Forgó,'' EU-DSGVO, Article 4 GDPR, margin number 49 (Verlag Österreich 2017).</ref> and therefore cannot designate a single Data Protection Officer or rely on internal administrative data transfers.<br />
<br />
===(20) Binding Corporate Rules===<br />
Binding corporate rules (short ‘BCR’) are ‘personal data protection policies’ formulated by controllers or processor established on the union for transfers of personal data outside the union within their group. In this regard, binding corporate rules constitute a legal basis to transfer personal data to third countries without an adequacy decision.<ref>See [[Article 46 GDPR|Article 46(2)(b) GDPR]].</ref> However, they only serve for for intra-corporate transfers, i.e. between entities of the concerned group of undertakings or enterprises. Transfers to entities outside of these groups are not covered by binding corporate rules.<br />
<br />
However, there are additional requirements regarding the content of such rules. According to Recital 110 GDPR, these must include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data. The rules are therefore to be previously approved by the national DPA concerned.<ref>[[Article 47 GDPR|Article 47(1) GDPR]].</ref> Furthermore, the Commission may specify the format and procedures for the exchange of information for these rules.<ref>[[Article 47 GDPR|Article 47(3) GDPR]].</ref> For more information on the requirements and the approval procedure of binding corporate rules, see therefore the commentary on [[Article 47 GDPR]].<br />
<br />
===(21) Supervisory Authority===<br />
Supervisory Authorities or ‘Data Protection Authorities’ (DPAs) are independent public authorities responsible for monitoring the application of the GDPR. The idea is, that such authorities protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union.<ref>See Article 51(1) GDPR, Recital 117 sentence 1 GDPR and [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(3) ECFR] “''Compliance with these rules shall be subject to control by an independent authority''”.</ref><br />
<br />
Member states can decide to provide only one or multiple DPAs, to reflect their constitutional, organisational and administrative structure.<ref>Recital 117 GDPR.</ref> In this regard, DPAs must be public authorities<ref>Private actors cannot serve as DPAs, see ''Polenz'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 21 GDPR, margin number 1 (NOMOS 2019).</ref> established on the national level.<ref>The European Data Protection Supervisor (EDPS) is therefore not a DPA in terms of the GDPR, see [https://gdprhub.eu/Article%2051%20GDPR Article 51(1) GDPR] and [https://gdprhub.eu/Article%2068%20GDPR Article 68(3) GDPR] “''The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor''”. It is adhering to its own [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018R1725&from=en Regulation (EU) 2018/1725], functionally overseeing and advising the European Institutions for their compliance with data protection rules.</ref> And while each supervisory authority should be competent on the territory of its own member state,<ref>Recital 112 sentence 1 GDPR.</ref> they shall cooperate, mutually assisting each other and conduct joint operations with to foster a consistent application of the GDPR in cross border contexts (see [[Article 60 GDPR|Articles 60-63 GDPR]] and Recital 123 GDPR).<br />
<br />
In this regard, DPAs may act independent (see [[Article 52 GDPR]]) and shall be provided with several competencies ([[Article 55 GDPR|Articles 55, 56 GDPR]]), Tasks ([[Article 57 GDPR]]) and Powers ([[Article 58 GDPR]]). For further information, see the particular commentary to the above mentioned articles.<br />
<br />
===(22) Supervisory authority concerned===<br />
Qualifying a supervisory authority as ‘concerned’ can result out of three situations as laid out by Article 4(22) GDPR:<br />
<br />
* For a controller or processor, when it is established in a member state of a supervisory authority,<br />
* for a data subject, when it is residing in the member state of a supervisory authority (likely) substantially affected by the processing of personal data, or<br />
* where a complaint has been lodged with that supervisory authority.<br />
<br />
==== Controller/Processor Establishment ====<br />
The DPA is concerned when a controller or processor is established in its jurisdiction. This implies any effective and real exercise of activity through stable arrangements,<ref>See Recital 22 sentence 2 GDPR.</ref> independent of the form of such arrangements of an actual branch or subsidiary within the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 275 (Oxford University Press 2020).</ref> This broad understanding is fostered by the EUCJ, including any real and effective activity exercised through stable agreements independently of their formalistic approach as an establishment.<ref>EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.</ref><br />
<br />
==== (Likely) Substantially Affection of the Data Subject ====<br />
A substantial affection, although not being further specified from the GDPR, indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 276 (Oxford University Press 2020).</ref> On the contrary, already the likelihood of such is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.<ref>For a list of relevant criteria, see ''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).</ref> In any case, this requires the data subject to reside in the member state of the DPA and therefore to have at least stable links to the state as its permanent habitual center.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).</ref> <br />
<br />
==== Filing a Complaint with the Supervisory Authority ====<br />
Filing a complaint with a particular supervisory authority qualifies them as a ‘concerned’ authority. Since complaints can also be fined with DPAs different from where the data subject resides,<ref>See Recital 124 sentence 3 GDPR.</ref> the supervisory authority can even be concerned without the data subject having a residence within the EU or any (likely) substantial affection. For further information on filing a complaint with a supervisory authority, see the commentary on [[Article 77 GDPR]].<br />
<br />
===(23) Cross-border processing===<br />
Cross border processing means any processing taking place in the<br />
<br />
(a) in the context of the activities of establishments of a controller or processor in multiple member states, or<br />
<br />
(b) in the context of a single establishment of a controller or processor in the union with (likely) substantially affects to data subjects in more than one member state.<br />
<br />
Both conditions are therefore attached to the notion of ‘establishment’, whereas (a) requires the controller or processor to have multiple establishments within different member states of the union, while (b) only requires the controller or processor to have an establishment within a single member state of the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 282 (Oxford University Press 2020).</ref> In both cases, however, the controller or processor needs to be established in at least one member state.<ref>''Polenz'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 23 GDPR, margin number 1 (NOMOS 2019).</ref><br />
<br />
==== Processing in the Context of Establishments within Multiple Member States ====<br />
The notion of establishment is again to be interpreded broadly. It is any effective and real exercise of activities through stable arrangements,<ref>See Recital 22 sentence 2 GDPR.</ref> independent of the formal declarations as a branch or subsidiary within the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 282 (Oxford University Press 2020); and again EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.</ref> Furthermore, the processing is not required to be carried out within the establishment itself, but can also happen in the context of its activities. If the establishment in the EU is not directly processing the personal data, an extricable link between the activities of the establishment and the processing is already sufficient.<ref>Google, EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 53, 56; EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 25.</ref> Only remote links to the processing in question may not involve another entity and therefore not form a ‘cross border processing’.<ref>For example, some commercial activity may be too far removed from the processing of personal data by an entity to bring the data processing non-EU entity within the scope of EU data protection law, see ''EDPB'', Guidelines 3/2018 on the territorial scope of the GDPR, 12 November 2019, p. 7 f. (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref><br />
<br />
==== Processing (likely) to Substantially Affect Data Subject in multiple Member States ====<br />
A substantial affection, again indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 284 (Oxford University Press 2020).</ref> In this regard, already the likelihood of such is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.<ref>For a list of relevant criteria, see ''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 285 (Oxford University Press 2020).</ref><br />
<br />
The evaluation of across border processing is relevant for determining the competent lead supervisory authority in situations where the processing would concern such of multiple member states. In this regard, it contributes to the ‘one-stop-shop’-principle, which is further described within the commentary of [[Article 56 GDPR]].<br />
<br />
===(24) Relevant and reasoned objection===<br />
The ‘relevant and reasoned objection’ refers to situations, in which a supervisory authority concerned<ref>See Article 4(22) GDPR.</ref> objects to a decision draft provided by a lead supervisory authority<ref>See [[Article 56 GDPR]].</ref> in terms of a cross-border-processing context.<ref>See Article 4(23) GDPR.</ref> When such objection is exercised by the supervisory authorities concerned, the lead supervisory authority can either follow the objection or submit the matter to the EDPB (see [[Article 60 GDPR|Article 60(4) GDPR]], [[Article 65 GDPR|Article 65(4) GDPR]]).<br />
<br />
In order to not overload the EDPB with submissions that are not well founded or based on weak arguments delaying decisions,<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 289 f. (Oxford University Press 2020).</ref> Article 4(24) GDPR introduces a threshold to such objections being ‘relevant’ and ‘reasoned’. In this regard, they have to show an infringement or compliance of the GDPR in opposition to the lead authorities decision draft clearly demonstrating the significance of the risks posed by the draft decision.<ref>Especially regarding the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union, see Article 4(24) GDPR.</ref><br />
<br />
An objection is therefore only relevant and reasoned, when it refers to the concrete draft of a decision and does not only contain concerns of general nature.<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 4 24 GDPR, margin number 1 (C.H. Beck 2020).</ref> This requires to provide the exact legal reasons for the objection,<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 4 24 GDPR, margin number 1 (C.H. Beck 2020).</ref> clearly stating the the non-negligible risks for the data subjects or the free flow of personal data entailed.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 290 (Oxford University Press 2020).</ref><br />
<br />
The notion of relevant and reasoned objection is to be further developed by the EDPB.<ref>See Recital 124 Sentence 4 GDPR and EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-092020-relevant-and-reasoned-objection-under_en here]).</ref> For further information on the EDPB’s criteria and procedure on elaborating a relevant and reasoned objection, check the commentary on [[Article 60 GDPR|Articles 60, 65 GDPR]].<br />
<br />
===(25) Information society service ===<br />
For the definition on ‘information society service’ the GDPR refers to Article 1(1)(b) of [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN#page=3 Directive (EU) 2015/1535], on a procedure for the provision of information in the field of technical regulations and of rules on Information Society services. Hereafter, such services are any “normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient”.<ref>Article 1(1)(b) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref><br />
<br />
‘At a distance’ means that the service is provided without the parties being simultaneously present.<ref>Article 1(1)(b)(i) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> Thus, even when using electronic means, services provided within the physical presence of the recipient to the provider are not falling within this definition.<ref>For example, surgeries making use of electronic equipment, electronic catalogues or ticket reservations within a shop, electronic video arcade games, see Annex I(1.) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref><br />
<br />
‘By electronic means’ requires, that the service is entirely sent and received via electronic equipment for the processing and storage of data, for example through being transmitted by wire, radio, optical or other electromagnetic means.<ref>Article 1(1)(b)(ii) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> And while offline services are excluded from these services,<ref>See also see Annex I(2.) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> composite services such as the selling of goods, advertising and gaming do qualify as such.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 298 (Oxford University Press 2020); and WP29, Guidelines on consent under Regulation 2016/679, WP259 rev.01, 10 April 2018, p. 24 (available [https://ec.europa.eu/newsroom/article29/redirection/document/51030 here]).</ref><br />
<br />
An ‘individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.<ref>Article 1(1)(b)(iii) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> Services transmitting data to an unlimited number of individuals without their individual demand, such as radio broadcasting, television, teletext, are therefore not covered.<ref>See Annex I(3.) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> On the contrary, video-on-demand or pay-per-view services do qualify as information society services.<ref>EUCJ, C-89/04, Mediakabel, 2 June 2005, margin numbers 38-39 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-89/04 here]).</ref><br />
<br />
Accordingly, most online services encountered nowadays fulfill the criteria of an information society service. Typical example are:<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 301 (Oxford University Press 2020).</ref><br />
<br />
* Online legal or health services<br />
* Online libraries or newspapers<br />
* Online shopping and booking services<br />
* Online media-platforms or video games<br />
* Online search engines and web browsers<br />
<br />
The classification as information society service becomes relevant in several contexts of the GDPR, such as its material scope (see [[Article 2 GDPR|Article 2(4) GDPR]]<ref>Especially in terms of liability rules coming from Articles 12 to 15 of the [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32000L0031&from=EN#page=12 eCommerce-Directive 2000/31/EC]; see also Recital 21 GDPR]</ref>), children’s consent (see [[Article 8 GDPR|Article 8(1) GDPR]]), the right to erasure (see [[Article 17 GDPR|Article 17(1)(f) GDPR]]) or the right to object (see [[Article 21 GDPR|Article 21(5) GDPR]]). For further information in this context, see the commentary in the relevant provisions.<br />
<br />
===(26) International organisation===<br />
An ‘international organisation’ means any organisation or subordinate bodies of such, which are governed either by public international law or set up by an agreement between two or more countries.<br />
<br />
While there is no universally accepted or further specified definition of the term coming from the GDPR, the overall definition from the Vienna Convention on the Law of Treaties from 1969<ref>Available [https://legal.un.org/ilc/texts/instruments/english/conventions/1_1_1969.pdf here].</ref> serves as a source of inspiration for interpreting EU law according to the CJEU.<ref>CJEU, C-386/08, Brita, 25 February 2010, margin number 42 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=72406&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=2557504 here]); see also ''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 305 (Oxford University Press 2020).</ref> However, Article 2(1)(i) of the [https://legal.un.org/ilc/texts/instruments/english/conventions/1_1_1969.pdf Convention] defines international organisation as ‘intergovernmental organization’, thereby failing to deliver a more specific definition. Moreover, since also both approaches to reach an international organization laid out by the GDPR, either through public international law or multilateral agreements, are not further deliniated, a way broader and flexible approach to the term is suggested.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 305 (Oxford University Press 2020).</ref><br />
<br />
In this regard, most organizations, such as the United Nations (UN), the International Telecommunications Union (ITU), the World Trade Organization (WTO as well as Inter- and Europol fall under the term.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p.306 (Oxford University Press 2020).</ref> However, these examples are not exhaustive and can be infinitely extended. Only NGO’s, which are usually non-governmental organisations established as private initiatives and governed by domestic member state law, may not qualify as such.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 307 (Oxford University Press 2020).</ref><br />
<br />
The classification as international organization is relevant in terms of the additional rules placed on data transfers, according to [[Article 44 GDPR|Articles 44-50 GDPR]]. While the Data Protection Directive only regulated data flows to third party countries, the GDPR now extends the applicability of these rules to international organizations as as well.<ref>See ''Schröder'', in Kühling, Buchner, DS-GVO BDSG, Article 4 26 GDPR, margin number 2 (C.H. Beck 2020).</ref> For more information on the principles and additional safeguards placed on such transfers, see the commentary on [[Article 45 GDPR|Articles 45-49 GDPR]].<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20052Article 4 GDPR2021-09-23T14:41:42Z<p>JS: Uploading Article 4(25) GDPR</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
* '''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).</ref><br />
* '''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
* '''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
* '''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
* '''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
* '''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
* '''Alteration''' (changes to the form or content of data), such as corrections, pseudonymisation or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
* '''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
* '''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
* '''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
* '''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company. <br />
* '''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
* '''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
* '''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
* '''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
* '''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
* '''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
* '''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> <br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of Processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref><br />
<br />
Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.<ref>Recital 30 sentence 1 GDPR.</ref> as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore<br />
<br />
* Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref><br />
* Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref><br />
* Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref><br />
<br />
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR, such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref><br />
<br />
===(5) Pseudonymisation===<br />
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.<br />
<br />
Examples for the pseudonymisation of personal data include:<br />
<br />
* Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref><br />
* Encryption or hashing of data<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref><br />
* Pixelation of video materials<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref> <br />
<br />
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> And while some scholars argue for a ‘subjective anonymisation’,<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).</ref> the party undertaking the pseudonymisation is typically able to reassign the data subject.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).</ref><br />
<br />
In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref><br />
<br />
* Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]])<br />
* Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]])<br />
* Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]])<br />
* Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]])<br />
* Implementing Data Protection by Design and Default ([[Article 25 GDPR]])<br />
<br />
===(6) Filing System===<br />
The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]). It is complementing the approach of technological neutrality followed by the GDPR.<br />
<br />
A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> This is already satisfied, when personal data on a particular person is retrievable.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'', C-25/17, Johovan Todistajat, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref><br />
<br />
The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref><br />
<br />
Other examples are:<br />
<br />
* Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Saved letter-correspondence with customers<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Covid-19-Guest-Lists sorted by date<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref><br />
<br />
===(7) Controller===<br />
The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> In this regard, it the controller is to be distinguished from the processor, which is explained in further detail in Article 4(8) GDPR.<br />
<br />
The responsibilities of the controller are defined in [[Article 24 GDPR]]. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR.<br />
<br />
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co controllership’, the entities have to determine their respective responsibilities for the processing within an agreement, according to [[Article 26 GDPR]]. Important, however, is the factual influence on the processing of the personal data,<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> see also Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref><br />
<br />
For example, a joint controllership is assumed between<br />
<br />
* Search-Engines-Operators and the websites of which information is structured, presented and complemented with advertisements within search results<ref>''CJEU'', C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 here]), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.</ref><br />
* Facebook and Administrators of Fan Pages on its social network<ref>''CJEU'', C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available [https://curia.europa.eu/juris/liste.jsf?num=C-210/16 here]), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.</ref><br />
* Facebook and Websites that integrated a ‘Like Button’<ref>''CJEU'', C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-40/17 here]), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.</ref><br />
<br />
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller according to [[Article 26 GDPR]]. For further information see the commentary on that provision.<br />
<br />
===(8) Processor===<br />
The processor is the next entity facing obligations from several provisions across the GDPR, complementing the concept of the controller explained in Article 4(7) GDPR. Any natural, legal person, public authority, agency or body that processes personal data on behalf of the controller qualifies as a processor.<br />
<br />
The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref> Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref><br />
<br />
Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> developed some examples as references for controller-processor relationships:<br />
<br />
* Outsourcing of Callcenters for Customer Communications<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Outsourcing of Mail Services<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Cloud Hosting and Grid Computing<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]) and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).]</ref><br />
* A Separated Entity Specialized in Data Processing within a Group of Companies<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref><br />
<br />
When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of special relevance is [[Article 28 GDPR]], that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on [[Article 28 GDPR|Article 28(3) GDPR]].<br />
<br />
A special form of the processor is the ‘sub processor’ engaged by the processor, which requires another processing agreement and authorisation through the controller. For further information see the commentary on [[Article 28 GDPR|Article 28(2),(4) GDPR]].<br />
<br />
===(9) Recipient===<br />
Another entity defined in the GDPR is the recipient. The notion of the recipient is kept very broadly, i.e. any party which personal data is disclosed to, independently of whether it is a third party or not. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]).</ref><br />
<br />
The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,<ref>More precise, [[Article 13 GDPR|Article 13(1)(e) GDPR]], [[Article 14 GDPR|Article 14(1)(e) GDPR]], [[Article 15 GDPR|Article 15(1)(c) GDPR]].</ref> the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind is, that the controller whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).</ref><br />
<br />
In this regard, it is discussed, whether a processor is also a recipient. One the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.<ref>See Article 4(8) GDPR and Article 4(10) GDPR.</ref> However, the concept of the recipient is completely independent of that of the third-party.<ref>See Article 4(9) GDPR, “whether a third party or not“.</ref> With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, [[Article 28 GDPR]] does not relieve the controller to inform the data subjects about its processors as recipients according to [[Article 13 GDPR|Article 13 to 15 GDPR]].<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).</ref><br />
<br />
Not considered a recipient are, on the other hand, particular units within a company, such as the staff council or dependent establishments of the controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).</ref> The wording of the provision suggests that the entity requires a particular degree of sovereignty in order to count as recipient.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 57 (C.H. Beck 2018) and ''Regenhardt'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 156 (Nomos 2018).</ref> Units that are inseparable part of the internal structure of the controller are therefore not to classify as recipients.<br />
<br />
Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref><br />
<br />
===(10) Third Party===<br />
The concept of a third party complements the previously defined entities. It constitutes a negative delimitation, as any person different from the data subject, controller, processor or any other person authorized to process personal data by the controller. Its notion becomes mainly relevant in terms of evaluating of interests, such as in Article 6 (1)(f) GDPR.<ref>See also [[Article 13 GDPR|Article 13(1)(d) GDPR]], [[Article 14 GDPR|Article 14(2)(b) GDPR]].</ref><br />
<br />
Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).</ref> Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).</ref> Similarly, internal staff of the controller is not a third party, unless the employee uses personal data for own purposes outside of the employment context.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).</ref> In this regard, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).</ref><br />
<br />
===(11) Consent===<br />
Consent is the first legal basis mentioned in Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data. It can be given either by a written, electronic or an oral statement.<ref>Recital 32 sentence 1 GDPR.</ref> Examples are ticking a box or actively choosing technical settings that indicate the data subject’s acceptance of the proposed processing of his or her personal data.<ref>Recital 32 sentence 2 GDPR.</ref><br />
<br />
The notion of consent within the GDPR is different from its constitutional equivalent in [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(2) ECFR]. Consent in the GDPR is neither a waiver of fundamental rights, nor a justification for interferences with fundamental rights.<ref>''Klement'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 7 GDPR, margin number 18 (NOMOS 2019).</ref> Rather, it should be seen as an exception from the general prohibition of processing of personal data under [[Article 6 GDPR|Article 6(1) GDPR]].<br />
<br />
To ensure that consent is not only a legal fiction, it requires additional and cumulative criteria, regulated within its definition and complemented through [[Article 7 GDPR]]. In order for consent to be valid, it has to be freely given, informed, specific and unambiguous. It is the controller’s duty to demonstrate that the data subject has given such consent to the processing of his or her personal data.<ref>[[Article 7 GDPR|Article 7(1) GDPR]], Recital 42 sentence 1 GDPR.</ref><br />
<br />
==== Freely Given ====<br />
Consent is only freely given, where there is no clear imbalance between the data subject and the controller.<ref>Recital 43 sentence 1 GDPR.</ref> Also, it shall not be considered freely given when it is conditional on the processing of personal data that is not necessary for the performance of the service.<ref>Recital 43 sentence 2 GDPR.</ref><br />
<br />
Examples where asymmetries of power and bundled consent usually occur are:<br />
<br />
* Relationships with Public Authorities<ref>Recital 43 sentence 1 GDPR, and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 98 (Carl Heymanns Verlag 2018).</ref><br />
* Employer-Employee-Relationships<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 71 (C.H. Beck 2018).</ref><br />
* Use of Major Digital Services with limited alternatives<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 73, 76 (C.H. Beck 2018).</ref><br />
<br />
==== Informed ====<br />
Consent needs to be provided in an intelligible and easily accessible form, using clear and plain language. Data Subjects must be able to understand the circumstances of processing of their personal data to estimate the consequences and implications of giving their consent.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin numbers 2, 5 (C.H. Beck 2020).</ref> According to recent case-law of the Court of Justice, the information shall also be “digested” by the data subject.<ref>EUCJ, C‑61/19, Orange România, 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/liste.jsf?num=C-61/19&language=en here]).</ref> This seems to give information a more substantive and functional role. Moreover, the information has to be presented in a manner which is clearly distinguishable from other matters, like terms and conditions. For more information, see the commentary on [[Article 7 GDPR|Article 7(2) GDPR]].<br />
<br />
==== Specific ====<br />
In accordance with the principle of transparency from [[Article 5 GDPR|Article 5(1)(b) GDPR]] consent must be provided for specific and legitimate purposes. While consent to the processing of personal data can be given for one or multiple purposes at the same time,<ref>Recital 32 sentences 5, 6 GDPR.</ref> intentions and limitations must be formulated as precisely as possible. A blanket consent to all kinds of purposes is therefore not valid. For more information, see the commentary on [[Article 6 GDPR|Article 6(1)(a) GDPR]].<br />
<br />
==== Unambiguous ====<br />
Consent must be given unambiguously in the form of clear and affirmative action. Silence, pre-ticked boxes or inactivity should not constitute consent.<ref>Recital 32 sentence 3 GDPR.</ref> This has been stressed through recent case law by the Court of Justice in terms of cookies, where a pre-checked checkbox which the user must deselect to refuse his or her consent cannot demonstrate active behaviour.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/1 here]).</ref><br />
<br />
==== Withdrawal ====<br />
Consent can be withdrawn at any time. Withdrawing of consent shall be as easy as it was giving it. The controller has to inform the data subject on the possibility to withdraw consent prior to the processing. For further information, see the commentary on [[Article 7 GDPR|Article 7(3) GDPR]].<br />
<br />
==== Capacity ====<br />
Generally, consent must be given directly by the data subject or a nominated representative.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).</ref> In the case of minors, the ability to consent is based on the individual cognitive faculty of the data subject.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin number 67 (C.H. Beck 2020); ''Ernst'', Die Einwilligung nach der Datenschutzgrundverordnung, in Zeitschrift für Datenschutz, 03/07, (2017), p. 111.</ref> In the online context, [[Article 8 GDPR|Article 8(1) GDPR]] provides a minimum age of 16, while member states may not reduce that age limit to below 13.<br />
<br />
==== Explicit Consent ====<br />
The more qualified form of ‘explicit’ consent is required within several other provisions across the GDPR. For more detailed information, check out the commentary on [[Article 9 GDPR|Article 9(2)(a) GDPR]], [[Article 22 GDPR|Article 22(2)(c) GDPR]] and [[Article 49 GDPR|Article 49(1) GDPR]].<br />
<br />
===(12) Personal Data Breach ===<br />
A ‘personal data breach’ can be considered as any security incident regarding personal data. In this regard, the breach has to concern the processing personal data (for ‘personal data’ see Article 4(1) GDPR, for ‘processing’ Article 4(2) GDPR). Although the transmission and storage of data are explicitly highlighted, any type of processing the concerned data is sufficient.<ref>Wording: “otherwise processed”.</ref><br />
<br />
Moreover, it requires a security breach within that processing. Such are any failures of technical or organizational safeguards implemented by the controller according to [[Article 32 GDPR]]. These failures can either be caused through targeted attacks from other parties or through mishandling of personal data through the controller or persons instructed, such as its employees.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).</ref> Some examples for security breaches are:<br />
<br />
* Hacking-Attacks on systems involving personal data,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Missing access protection to data storages or buildings,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Sending data to unintended recipients,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Employees unlawfully distributing data to third parties,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 180 (Nomos 2018).</ref><br />
* Accidentally publishing or leaking data on website,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
* Loss of physical data carriers,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Destruction of data storing infrastructure,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unrestorable encryption through Ransomware,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unlocked storage of employee files.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
<br />
As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
<br />
The notion of a personal data breach becomes especially relevant in terms of notification and communication obligations for controllers to data subjects and DPAs according to [[Article 33 GDPR|Articles 33, 34 GDPR]]. In this regard, the EDPB can issue guidelines, recommendations and best practices for handling personal data breaches, [[Article 70 GDPR|Article 70(1)(g)(h) GDPR]].<ref>See EDPB, Guidelines 01/2021 on Examples regarding Data Breach Notification, 14 January 2021 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf here]).</ref><br />
<br />
===(13) Genetic Data===<br />
‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions the growth, metabolism, appearance, diseases or alike, both already existent or entering in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin numbers 106, 108 (Carl Heymanns Verlag 2018).</ref> Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analyses.<br />
<br />
The classification as genetic data is becoming relevant in terms of [[Article 9 GDPR|Article 9(1) GDPR]], that only allows its processing under strict requirements.<ref>Additionally, member states may maintain or introduce further conditions and limitations for the processing of genetic data, [[Article 9 GDPR|Article 9(4) GDPR]].</ref> This is due to the sensitive character of such data, that allows a unique identification of the data subject and at the same time reveals personal health data<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017).</ref> on them and biological relatives.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017); ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 182 (Nomos 2018).</ref> Especially in terms of heritage diseases, genetic data therefore carries a high risk of abuse in terms of employment and insurances.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 96 (C.H. Beck 2018).</ref><br />
<br />
===(14) Biometric Data===<br />
‘Biometric data’ means data referring to the physical, physiological and behavioural characteristics of a natural person obtained from specific technical processing allowing for an unique identification. While this generally includes any means to analyse and measure the characteristics of humans<ref>Usually through the creation of referential patterns that are than compared with the data subject later for unique identification, see ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 183 (Nomos 2018).</ref> the technical processing and unique identification requirements place higher burdens.<br />
<br />
The definition itself gives facial images and fingerprints,<ref>Also called 'Dactyloscopic data'.</ref> as examples for biometric data. However, the requirement for specific technical processing, ensures that simple pictures or even passport photographs shall not be considered as such.<ref>Recital 51 GDPR, “''The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person''”.</ref> It is the further processing, for example through the application of facial recognition software, that renders the extracted patterns as biometric data. In this regard, also IRIS Scanners, DNS-Comparisons, voice or gait pattern analyses,<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> as well as typing patterns or even handwritten signatures<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 111 (Carl Heymanns Verlag 2018).</ref> may be considered as biometric data.<br />
<br />
Other data, that does not allow an unique identification, such as the body size or blood type, are not biometric data.<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> However, these could then fall under the definition of ‘health data’ that offers similar protection like for biometric data, according to [[Article 9 GDPR|Article 9(1) GDPR]].<br />
<br />
===(15) Data Concerning Health===<br />
‘Data concerning health’, or simply ‘health data’, means any data related to the physical or mental health of a natural person, especially the procurement of health care services revealing such information. According to Recital 35 GDPR, these include all data referring to the health status of the data subject from the past, current or future. In this regard, any information on diseases, risks, disabilities, their treatment and medical histories of a particular natural person explicitly qualify as health data.<ref>Recital 35 sentence 2 GDPR.</ref><br />
<br />
Other examples for health data are information about:<br />
<br />
* Addictions to alcohol, drugs or medications as well as the participation in self-help groups<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
* Hospitalizations, sick notes and sick payments<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
* Information the physical or mental invalidity to work<ref>''Petri'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 15 GDPR, margin number 5 (NOMOS 2019).</ref><br />
* Data from health- or fitness apps on eating or movement patterns, for example from wearables and smartphones<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 118 (Carl Heymanns Verlag 2018).</ref><br />
<br />
The notion of health data is therefore broader than ‘medicinal data’.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 59 (Deutscher Fachverlag 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018).</ref> Furthermore, it strongly overlaps with the notions of genetic and biometric data.<ref>See Recital 35, “''Personal data concerning health should include […] information derived from the testing or examination of one’s body, substances, such as genetic and biological samples''”.</ref> in order to allow a seamless high protection within the scope of [[Article 9 GDPR]].<ref>However, in some cases (e.g. the public health sector) sensitive data can be necessary to be processed without the data subjects consent, see Recital 54 GDPR.</ref> For further information, check the commentary on [[Article 9 GDPR]].<br />
<br />
===(16) Main Establishment===<br />
If a controller or a processor have establishments in more than one member states, identifying its ‘main establishment’ is the first step to recognize the lead supervisory authority in a cross-border procedure.<br />
<br />
It is the role of a data protection authorities to properly define the main establishment of an entity according to objective criteria and subsequently determine the corresponding lead authority.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> The burden of proof falls on controllers and processors to demonstrate to the relevant supervisory authorities where the relevant processing decisions are taken and implemented. In this regard, however, the WP29 stressed that the GDPR does not permit ‘forum shopping’ and conclusions cannot be based solely on statements by the organisation under review. The supervisory authorities can rebut the controller’s analysis based on an objective examination of the relevant facts, requesting further information where required.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
==== Main Establishment of a Controller ====<br />
As a general rule, the main establishment of a controller should be the place of its central administration in the Union, or in other words, “''the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented''”.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 5 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> <br />
<br />
Recital 22 GDPR defines an establishment as ‘the effective and real exercise of activity through stable arrangements’. The legal form of such arrangements is irrelevant. According to the CJEU, an establishment depends on “''both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned.''”<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 29 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref> In this regard, already the presence of a single representative can constitute a stable arrangement when acting with a sufficient degree of stability and the necessary equipment to provide the specific services in the member states concerned.<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 30 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref><br />
<br />
If a controller’s main establishment is not the place of its central administration in the EU, it is necessary to determine the establishment based on where the effective and real exercise of main decisions on the purposes and means of processing take place.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 6 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> It should depend neither on the place of the processing nor the use of technical means and technologies for processing personal data or processing activities. Instead, to determine the controller’s main establishment the WP29 developed several guiding questions:<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
* Where are decisions about the purposes and means of the finally signed off’?<br />
* Where are decisions about business activities that involve data processing made?<br />
* Where does the power to have decisions implemented effectively lie?<br />
* Where is the Director with responsibility for cross border processing located?<br />
* Where is the controller or processor registered as a company?<br />
<br />
A supervisory authority may require from a controller to present additional information proving that its main establishment fulfils criteria envisaged in the GDPR.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
==== Main Establishment of a Processor ====<br />
Similarly to the rules for controllers, the main establishment of a processor located in multiple member states shall also be the place of its central administration. <br />
<br />
However, when there is no central administration in the Union, the rules applying to processors are formulated differently. In such cases, the main establishment of a processor is where the main processing activities take place in a Union’s establishment subject to the obligations under GDPR. This implies that the processing of personal data does not need to be carried out by the relevant establishment itself but only in in the context of its activities within the scope of the GDPR.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 235 (Oxford University Press 2020).</ref> The meaning of ‘the context of activities’ has already been specified by the CJEU, building on a broad definition of ‘establishment’ and clarifying that already the intention of a member state’s establishment to provide advertisement space for a third country undertaking is processing of personal data in the context of the Union’s establishment.<ref>CJEU, C-131/12, Google Spain, 13 May 2014, margin number 55 (available [https://curia.europa.eu/juris/liste.jsf?num=c-131/12 here]).</ref><br />
<br />
Following up on the CJEU judgement, the WP29 specified that EU law may apply to data processing activities of controllers or processors established outside the EU “''even if the local establishment is not actually taking any role in the data processing itself''”.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref> This reasoning can be based on an “''inextricable link''” between activities of an establishment in the EU and data processing by a non-EU controller or processor.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref><br />
<br />
==== '''Cases Involving Both the Controller and the Processor''' ====<br />
Recital 36 GDPR explains that “''in cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment''”. For further information determining the lead and concerned supervisory authorities in cross border contexts see the commentary on [[Article 56 GDPR]] and Article 4(22)-(23) GDPR.<br />
<br />
===(17) Representative===<br />
Representative are any legal or natural persons established in the union designated by a controller or processor, in accordance with [[Article 27 GDPR]]. They are not to be confused with the executive organ of the controller, but they serve as contact persons for data subjects and DPAs towards controllers and processors that are only outside the Union.<br />
<br />
In this regard, the notion of a representative becomes relevant in terms actors that are falling within the territorial scope of the GDPR without having any establishment within the union (see [[Article 3 GDPR|Article 3(2) GDPR]] and Recital 80 GDPR).<ref>According to which the GDPR applies to controllers outside the union processing personal data on subjects within the union ''“related to the offering of goods or services“'' or ''“the monitoring of their behaviour”''.</ref> In such cases, the representative becomes the addressee of enforcement proceedings in the event of non-compliance of the respective controller or processor.<ref>Recital 80 sentence 6 GDPR.</ref> This way, the representative prevents such actors only established in a third country, to become “infeasible” for data subjects and DPA’s within the union. Examples for representatives may therefore be designated employees, lawyers or whole firms established within the union.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 106 (C.H. Beck 2018).</ref><br />
<br />
The designation shall happen in a written form, containing the a mandate to represent the controller or processor under the obligations from the GDPR.<ref>Recital 80 sentences 3, 4 GDPR.</ref> At the same time. the designation of a representative does not exclude the responsibility or liability of the controller or processor themselves.<ref>Recital 80 sentence 5 GDPR.</ref> However, it remains unclear how entities not providing a representative may be tackled by the GDPR.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 204 (Nomos 2018).</ref> In this regard, especially public authorities are excluded from the designation of a representative.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 52 (C.H. Beck 2017).</ref><br />
<br />
===(18) Enterprise===<br />
An enterprise’ means any natural or legal person, partnerships or associations regularly engaged in economic activities. With this definition, the GDPR introduced a broad concept of the enterprise, irrespective of their size, legal form or interests pursued.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 127 (Carl Heymanns Verlag 2018).</ref><br />
<br />
An enterprise requires a regular engagement in economic activities, which means activities intended for a long-term and not only in an occasional manner.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 129 (Carl Heymanns Verlag 2018).</ref> Excluded from such activities are completely familiarly or personal activities (household activities, see also the commentary on [[Article 2 GDPR|Article 2(c) GDPR]]).<br />
<br />
While the English version of the GDPR distinguishes between the ‘enterprise’ and ‘undertaking’ the translation to other languages merged them into a single notion.<ref>For example, in German ("Unternehmen"), in French ("entreprise") and in Spanish ("empresa").]</ref> This causes controversy around the assessment of fines according to [[Article 83 GDPR]], which by English language refers to the term of undertaking in accordance with [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:12012E/TXT&from=EN#page=42 Articles 101, 102 TFEU] and thereby not to the definition of Article 4(18) GDPR.<ref>See Recital 150 sentence 3 GDPR.</ref> In any case, the notion is to be understood broadly when enforcing actions or determining fines on a particular entity (see commentary on [[Article 83 GDPR]]).<br />
<br />
===(19) Group of Undertakings===<br />
A group of undertakings consists of a leading (“controlling”) entity and one or more thereof dependent (“controlled”) entities.<ref>Recital 37 sentence 1 GDPR.</ref> The central characteristic for a group of undertakings is therefore, that one entity exerts a dominant influence over the others, for example be through ownership or financial participation.<ref>Recital 37 sentence 1 GDPR.</ref> This is usually the case between a holding company and their subsidiaries.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 58 (C.H. Beck 2017).</ref><br />
<br />
In this regard, the mere possibility of exercising control over the the other entity is sufficient, a real exercise of such control is not necessary.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 76 (ottoschmidt 2018).</ref> As long as one entity has the factual power to assert its will over the other entities,<ref>For example through to have personal data protection rules implemented; see Recital 37 sentence 1 GDPR.</ref> they qualify as group of undertakings.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 78 (ottoschmidt 2018).</ref><br />
<br />
Already two undertakings are sufficient to form a group.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 80 (ottoschmidt 2018).</ref> However, a controller giving mere instructions to a processor regarding the processing of personal data does not qualify as a group of undertakings.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 221 (Nomos 2018).</ref><br />
<br />
The classification as a group of undertakings becomes relevant for several provision across the GDPR, such as <br />
<br />
- The joint designation of a Data Protection Officer ([[Article 37 GDPR|Article 37(2) GDPR]]),<br />
<br />
- The formulation of binding corporate rules (Article 4(20) GDPR, [[Article 47 GDPR]]),<br />
<br />
- The data transfer for internal administrative purposes (Recital 48 GDPR in conjunction with [[Article 6 GDPR|Article 6(1)(f) GDPR]]),<ref>''Pötters/Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 70 (Deutscher Fachverlag 2018), as “''group privilege light''”.</ref> and<br />
<br />
- The determination of the main establishment (Article 4(16) GDPR, Recital 22 GDPR).<br />
<br />
However, the notion is to be distinguished from a ‘group of enterprises engaged in a joint economic activity’ also used throughout several provisions across the GDPR. These consist on separate and independent entities, which do not exercise control over each other<ref>''Feiler, Forgó,'' EU-DSGVO, Article 4 GDPR, margin number 49 (Verlag Österreich 2017).</ref> and therefore cannot designate a single Data Protection Officer or rely on internal administrative data transfers.<br />
<br />
===(20) Binding Corporate Rules===<br />
Binding corporate rules (short ‘BCR’) are ‘personal data protection policies’ formulated by controllers or processor established on the union for transfers of personal data outside the union within their group. In this regard, binding corporate rules constitute a legal basis to transfer personal data to third countries without an adequacy decision.<ref>See [[Article 46 GDPR|Article 46(2)(b) GDPR]].</ref> However, they only serve for for intra-corporate transfers, i.e. between entities of the concerned group of undertakings or enterprises. Transfers to entities outside of these groups are not covered by binding corporate rules.<br />
<br />
However, there are additional requirements regarding the content of such rules. According to Recital 110 GDPR, these must include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data. The rules are therefore to be previously approved by the national DPA concerned.<ref>[[Article 47 GDPR|Article 47(1) GDPR]].</ref> Furthermore, the Commission may specify the format and procedures for the exchange of information for these rules.<ref>[[Article 47 GDPR|Article 47(3) GDPR]].</ref> For more information on the requirements and the approval procedure of binding corporate rules, see therefore the commentary on [[Article 47 GDPR]].<br />
<br />
===(21) Supervisory Authority===<br />
Supervisory Authorities or ‘Data Protection Authorities’ (DPAs) are independent public authorities responsible for monitoring the application of the GDPR. The idea is, that such authorities protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union.<ref>See Article 51(1) GDPR, Recital 117 sentence 1 GDPR and [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(3) ECFR] “''Compliance with these rules shall be subject to control by an independent authority''”.</ref><br />
<br />
Member states can decide to provide only one or multiple DPAs, to reflect their constitutional, organisational and administrative structure.<ref>Recital 117 GDPR.</ref> In this regard, DPAs must be public authorities<ref>Private actors cannot serve as DPAs, see ''Polenz'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 21 GDPR, margin number 1 (NOMOS 2019).</ref> established on the national level.<ref>The European Data Protection Supervisor (EDPS) is therefore not a DPA in terms of the GDPR, see [https://gdprhub.eu/Article%2051%20GDPR Article 51(1) GDPR] and [https://gdprhub.eu/Article%2068%20GDPR Article 68(3) GDPR] “''The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor''”. It is adhering to its own [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018R1725&from=en Regulation (EU) 2018/1725], functionally overseeing and advising the European Institutions for their compliance with data protection rules.</ref> And while each supervisory authority should be competent on the territory of its own member state,<ref>Recital 112 sentence 1 GDPR.</ref> they shall cooperate, mutually assisting each other and conduct joint operations with to foster a consistent application of the GDPR in cross border contexts (see [[Article 60 GDPR|Articles 60-63 GDPR]] and Recital 123 GDPR).<br />
<br />
In this regard, DPAs may act independent (see [[Article 52 GDPR]]) and shall be provided with several competencies ([[Article 55 GDPR|Articles 55, 56 GDPR]]), Tasks ([[Article 57 GDPR]]) and Powers ([[Article 58 GDPR]]). For further information, see the particular commentary to the above mentioned articles.<br />
<br />
===(22) Supervisory authority concerned===<br />
Qualifying a supervisory authority as ‘concerned’ can result out of three situations as laid out by Article 4(22) GDPR:<br />
<br />
* For a controller or processor, when it is established in a member state of a supervisory authority,<br />
* for a data subject, when it is residing in the member state of a supervisory authority (likely) substantially affected by the processing of personal data, or<br />
* where a complaint has been lodged with that supervisory authority.<br />
<br />
==== Controller/Processor Establishment ====<br />
The DPA is concerned when a controller or processor is established in its jurisdiction. This implies any effective and real exercise of activity through stable arrangements,<ref>See Recital 22 sentence 2 GDPR.</ref> independent of the form of such arrangements of an actual branch or subsidiary within the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 275 (Oxford University Press 2020).</ref> This broad understanding is fostered by the EUCJ, including any real and effective activity exercised through stable agreements independently of their formalistic approach as an establishment.<ref>EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.</ref><br />
<br />
==== (Likely) Substantially Affection of the Data Subject ====<br />
A substantial affection, although not being further specified from the GDPR, indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 276 (Oxford University Press 2020).</ref> On the contrary, already the likelihood of such is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.<ref>For a list of relevant criteria, see ''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).</ref> In any case, this requires the data subject to reside in the member state of the DPA and therefore to have at least stable links to the state as its permanent habitual center.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).</ref> <br />
<br />
==== Filing a Complaint with the Supervisory Authority ====<br />
Filing a complaint with a particular supervisory authority qualifies them as a ‘concerned’ authority. Since complaints can also be fined with DPAs different from where the data subject resides,<ref>See Recital 124 sentence 3 GDPR.</ref> the supervisory authority can even be concerned without the data subject having a residence within the EU or any (likely) substantial affection. For further information on filing a complaint with a supervisory authority, see the commentary on [[Article 77 GDPR]].<br />
<br />
===(23) Cross-border processing===<br />
Cross border processing means any processing taking place in the<br />
<br />
(a) in the context of the activities of establishments of a controller or processor in multiple member states, or<br />
<br />
(b) in the context of a single establishment of a controller or processor in the union with (likely) substantially affects to data subjects in more than one member state.<br />
<br />
Both conditions are therefore attached to the notion of ‘establishment’, whereas (a) requires the controller or processor to have multiple establishments within different member states of the union, while (b) only requires the controller or processor to have an establishment within a single member state of the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 282 (Oxford University Press 2020).</ref> In both cases, however, the controller or processor needs to be established in at least one member state.<ref>''Polenz'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 23 GDPR, margin number 1 (NOMOS 2019).</ref><br />
<br />
==== Processing in the Context of Establishments within Multiple Member States ====<br />
The notion of establishment is again to be interpreded broadly. It is any effective and real exercise of activities through stable arrangements,<ref>See Recital 22 sentence 2 GDPR.</ref> independent of the formal declarations as a branch or subsidiary within the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 282 (Oxford University Press 2020); and again EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.</ref> Furthermore, the processing is not required to be carried out within the establishment itself, but can also happen in the context of its activities. If the establishment in the EU is not directly processing the personal data, an extricable link between the activities of the establishment and the processing is already sufficient.<ref>Google, EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 53, 56; EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 25.</ref> Only remote links to the processing in question may not involve another entity and therefore not form a ‘cross border processing’.<ref>For example, some commercial activity may be too far removed from the processing of personal data by an entity to bring the data processing non-EU entity within the scope of EU data protection law, see ''EDPB'', Guidelines 3/2018 on the territorial scope of the GDPR, 12 November 2019, p. 7 f. (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref><br />
<br />
==== Processing (likely) to Substantially Affect Data Subject in multiple Member States ====<br />
A substantial affection, again indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 284 (Oxford University Press 2020).</ref> In this regard, already the likelihood of such is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.<ref>For a list of relevant criteria, see ''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 285 (Oxford University Press 2020).</ref><br />
<br />
The evaluation of across border processing is relevant for determining the competent lead supervisory authority in situations where the processing would concern such of multiple member states. In this regard, it contributes to the ‘one-stop-shop’-principle, which is further described within the commentary of [[Article 56 GDPR]].<br />
<br />
===(24) Relevant and reasoned objection===<br />
The ‘relevant and reasoned objection’ refers to situations, in which a supervisory authority concerned<ref>See Article 4(22) GDPR.</ref> objects to a decision draft provided by a lead supervisory authority<ref>See [[Article 56 GDPR]].</ref> in terms of a cross-border-processing context.<ref>See Article 4(23) GDPR.</ref> When such objection is exercised by the supervisory authorities concerned, the lead supervisory authority can either follow the objection or submit the matter to the EDPB (see [[Article 60 GDPR|Article 60(4) GDPR]], [[Article 65 GDPR|Article 65(4) GDPR]]).<br />
<br />
In order to not overload the EDPB with submissions that are not well founded or based on weak arguments delaying decisions,<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 289 f. (Oxford University Press 2020).</ref> Article 4(24) GDPR introduces a threshold to such objections being ‘relevant’ and ‘reasoned’. In this regard, they have to show an infringement or compliance of the GDPR in opposition to the lead authorities decision draft clearly demonstrating the significance of the risks posed by the draft decision.<ref>Especially regarding the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union, see Article 4(24) GDPR.</ref><br />
<br />
An objection is therefore only relevant and reasoned, when it refers to the concrete draft of a decision and does not only contain concerns of general nature.<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 4 24 GDPR, margin number 1 (C.H. Beck 2020).</ref> This requires to provide the exact legal reasons for the objection,<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 4 24 GDPR, margin number 1 (C.H. Beck 2020).</ref> clearly stating the the non-negligible risks for the data subjects or the free flow of personal data entailed.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 290 (Oxford University Press 2020).</ref><br />
<br />
The notion of relevant and reasoned objection is to be further developed by the EDPB.<ref>See Recital 124 Sentence 4 GDPR and EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-092020-relevant-and-reasoned-objection-under_en here]).</ref> For further information on the EDPB’s criteria and procedure on elaborating a relevant and reasoned objection, check the commentary on [[Article 60 GDPR|Articles 60, 65 GDPR]].<br />
<br />
===(25) Information society service ===<br />
For the definition on ‘information society service’ the GDPR refers to Article 1(1)(b) of [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN#page=3 Directive (EU) 2015/1535], on a procedure for the provision of information in the field of technical regulations and of rules on Information Society services. Hereafter, such services are any “normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient”.<ref>Article 1(1)(b) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref><br />
<br />
‘At a distance’ means that the service is provided without the parties being simultaneously present.<ref>Article 1(1)(b)(i) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> Thus, even when using electronic means, services provided within the physical presence of the recipient to the provider are not falling within this definition.<ref>For example, surgeries making use of electronic equipment, electronic catalogues or ticket reservations within a shop, electronic video arcade games, see Annex I(1.) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref><br />
<br />
‘By electronic means’ requires, that the service is entirely sent and received via electronic equipment for the processing and storage of data, for example through being transmitted by wire, radio, optical or other electromagnetic means.<ref>Article 1(1)(b)(ii) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> And while offline services are excluded from these services,<ref>See also see Annex I(2.) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> composite services such as the selling of goods, advertising and gaming do qualify as such.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 298 (Oxford University Press 2020); and WP29, Guidelines on consent under Regulation 2016/679, WP259 rev.01, 10 April 2018, p. 24 (available [https://ec.europa.eu/newsroom/article29/redirection/document/51030 here]).</ref><br />
<br />
An ‘individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.<ref>Article 1(1)(b)(iii) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> Services transmitting data to an unlimited number of individuals without their individual demand, such as radio broadcasting, television, teletext, are therefore not covered.<ref>See Annex I(3.) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> On the contrary, video-on-demand or pay-per-view services do qualify as information society services.<ref>EUCJ, C-89/04, Mediakabel, 2 June 2005, margin numbers 38-39 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-89/04 here]).</ref><br />
<br />
Accordingly, most online services encountered nowadays fulfill the criteria of an information society service. Typical example are:<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 301 (Oxford University Press 2020).</ref><br />
<br />
* Online legal or health services<br />
* Online libraries or newspapers<br />
* Online shopping and booking services<br />
* Online media-platforms or video games<br />
* Online search engines and web browsers<br />
<br />
The classification as information society service becomes relevant in several contexts of the GDPR, such as its material scope (see [[Article 2 GDPR|Article 2(4) GDPR]]<ref>Especially in terms of liability rules coming from Articles 12 to 15 of the [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32000L0031&from=EN#page=12 eCommerce-Directive 2000/31/EC]; see also Recital 21 GDPR]</ref>), children’s consent (see [[Article 8 GDPR|Article 8(1) GDPR]]), the right to erasure (see [[Article 17 GDPR|Article 17(1)(f) GDPR]]) or the right to object (see [[Article 21 GDPR|Article 21(5) GDPR]]). For further information in this context, see the commentary in the relevant provisions.<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20050Article 4 GDPR2021-09-23T14:26:52Z<p>JS: Uploading Article 4(24) GDPR</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
* '''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).</ref><br />
* '''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
* '''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
* '''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
* '''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
* '''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
* '''Alteration''' (changes to the form or content of data), such as corrections, pseudonymisation or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
* '''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
* '''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
* '''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
* '''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company. <br />
* '''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
* '''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
* '''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
* '''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
* '''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
* '''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
* '''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> <br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of Processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref><br />
<br />
Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.<ref>Recital 30 sentence 1 GDPR.</ref> as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore<br />
<br />
* Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref><br />
* Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref><br />
* Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref><br />
<br />
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR, such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref><br />
<br />
===(5) Pseudonymisation===<br />
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.<br />
<br />
Examples for the pseudonymisation of personal data include:<br />
<br />
* Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref><br />
* Encryption or hashing of data<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref><br />
* Pixelation of video materials<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref> <br />
<br />
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> And while some scholars argue for a ‘subjective anonymisation’,<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).</ref> the party undertaking the pseudonymisation is typically able to reassign the data subject.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).</ref><br />
<br />
In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref><br />
<br />
* Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]])<br />
* Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]])<br />
* Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]])<br />
* Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]])<br />
* Implementing Data Protection by Design and Default ([[Article 25 GDPR]])<br />
<br />
===(6) Filing System===<br />
The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]). It is complementing the approach of technological neutrality followed by the GDPR.<br />
<br />
A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> This is already satisfied, when personal data on a particular person is retrievable.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'', C-25/17, Johovan Todistajat, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref><br />
<br />
The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref><br />
<br />
Other examples are:<br />
<br />
* Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Saved letter-correspondence with customers<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Covid-19-Guest-Lists sorted by date<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref><br />
<br />
===(7) Controller===<br />
The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> In this regard, it the controller is to be distinguished from the processor, which is explained in further detail in Article 4(8) GDPR.<br />
<br />
The responsibilities of the controller are defined in [[Article 24 GDPR]]. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR.<br />
<br />
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co controllership’, the entities have to determine their respective responsibilities for the processing within an agreement, according to [[Article 26 GDPR]]. Important, however, is the factual influence on the processing of the personal data,<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> see also Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref><br />
<br />
For example, a joint controllership is assumed between<br />
<br />
* Search-Engines-Operators and the websites of which information is structured, presented and complemented with advertisements within search results<ref>''CJEU'', C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 here]), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.</ref><br />
* Facebook and Administrators of Fan Pages on its social network<ref>''CJEU'', C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available [https://curia.europa.eu/juris/liste.jsf?num=C-210/16 here]), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.</ref><br />
* Facebook and Websites that integrated a ‘Like Button’<ref>''CJEU'', C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-40/17 here]), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.</ref><br />
<br />
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller according to [[Article 26 GDPR]]. For further information see the commentary on that provision.<br />
<br />
===(8) Processor===<br />
The processor is the next entity facing obligations from several provisions across the GDPR, complementing the concept of the controller explained in Article 4(7) GDPR. Any natural, legal person, public authority, agency or body that processes personal data on behalf of the controller qualifies as a processor.<br />
<br />
The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref> Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref><br />
<br />
Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> developed some examples as references for controller-processor relationships:<br />
<br />
* Outsourcing of Callcenters for Customer Communications<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Outsourcing of Mail Services<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Cloud Hosting and Grid Computing<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]) and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).]</ref><br />
* A Separated Entity Specialized in Data Processing within a Group of Companies<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref><br />
<br />
When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of special relevance is [[Article 28 GDPR]], that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on [[Article 28 GDPR|Article 28(3) GDPR]].<br />
<br />
A special form of the processor is the ‘sub processor’ engaged by the processor, which requires another processing agreement and authorisation through the controller. For further information see the commentary on [[Article 28 GDPR|Article 28(2),(4) GDPR]].<br />
<br />
===(9) Recipient===<br />
Another entity defined in the GDPR is the recipient. The notion of the recipient is kept very broadly, i.e. any party which personal data is disclosed to, independently of whether it is a third party or not. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]).</ref><br />
<br />
The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,<ref>More precise, [[Article 13 GDPR|Article 13(1)(e) GDPR]], [[Article 14 GDPR|Article 14(1)(e) GDPR]], [[Article 15 GDPR|Article 15(1)(c) GDPR]].</ref> the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind is, that the controller whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).</ref><br />
<br />
In this regard, it is discussed, whether a processor is also a recipient. One the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.<ref>See Article 4(8) GDPR and Article 4(10) GDPR.</ref> However, the concept of the recipient is completely independent of that of the third-party.<ref>See Article 4(9) GDPR, “whether a third party or not“.</ref> With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, [[Article 28 GDPR]] does not relieve the controller to inform the data subjects about its processors as recipients according to [[Article 13 GDPR|Article 13 to 15 GDPR]].<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).</ref><br />
<br />
Not considered a recipient are, on the other hand, particular units within a company, such as the staff council or dependent establishments of the controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).</ref> The wording of the provision suggests that the entity requires a particular degree of sovereignty in order to count as recipient.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 57 (C.H. Beck 2018) and ''Regenhardt'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 156 (Nomos 2018).</ref> Units that are inseparable part of the internal structure of the controller are therefore not to classify as recipients.<br />
<br />
Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref><br />
<br />
===(10) Third Party===<br />
The concept of a third party complements the previously defined entities. It constitutes a negative delimitation, as any person different from the data subject, controller, processor or any other person authorized to process personal data by the controller. Its notion becomes mainly relevant in terms of evaluating of interests, such as in Article 6 (1)(f) GDPR.<ref>See also [[Article 13 GDPR|Article 13(1)(d) GDPR]], [[Article 14 GDPR|Article 14(2)(b) GDPR]].</ref><br />
<br />
Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).</ref> Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).</ref> Similarly, internal staff of the controller is not a third party, unless the employee uses personal data for own purposes outside of the employment context.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).</ref> In this regard, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).</ref><br />
<br />
===(11) Consent===<br />
Consent is the first legal basis mentioned in Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data. It can be given either by a written, electronic or an oral statement.<ref>Recital 32 sentence 1 GDPR.</ref> Examples are ticking a box or actively choosing technical settings that indicate the data subject’s acceptance of the proposed processing of his or her personal data.<ref>Recital 32 sentence 2 GDPR.</ref><br />
<br />
The notion of consent within the GDPR is different from its constitutional equivalent in [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(2) ECFR]. Consent in the GDPR is neither a waiver of fundamental rights, nor a justification for interferences with fundamental rights.<ref>''Klement'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 7 GDPR, margin number 18 (NOMOS 2019).</ref> Rather, it should be seen as an exception from the general prohibition of processing of personal data under [[Article 6 GDPR|Article 6(1) GDPR]].<br />
<br />
To ensure that consent is not only a legal fiction, it requires additional and cumulative criteria, regulated within its definition and complemented through [[Article 7 GDPR]]. In order for consent to be valid, it has to be freely given, informed, specific and unambiguous. It is the controller’s duty to demonstrate that the data subject has given such consent to the processing of his or her personal data.<ref>[[Article 7 GDPR|Article 7(1) GDPR]], Recital 42 sentence 1 GDPR.</ref><br />
<br />
==== Freely Given ====<br />
Consent is only freely given, where there is no clear imbalance between the data subject and the controller.<ref>Recital 43 sentence 1 GDPR.</ref> Also, it shall not be considered freely given when it is conditional on the processing of personal data that is not necessary for the performance of the service.<ref>Recital 43 sentence 2 GDPR.</ref><br />
<br />
Examples where asymmetries of power and bundled consent usually occur are:<br />
<br />
* Relationships with Public Authorities<ref>Recital 43 sentence 1 GDPR, and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 98 (Carl Heymanns Verlag 2018).</ref><br />
* Employer-Employee-Relationships<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 71 (C.H. Beck 2018).</ref><br />
* Use of Major Digital Services with limited alternatives<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 73, 76 (C.H. Beck 2018).</ref><br />
<br />
==== Informed ====<br />
Consent needs to be provided in an intelligible and easily accessible form, using clear and plain language. Data Subjects must be able to understand the circumstances of processing of their personal data to estimate the consequences and implications of giving their consent.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin numbers 2, 5 (C.H. Beck 2020).</ref> According to recent case-law of the Court of Justice, the information shall also be “digested” by the data subject.<ref>EUCJ, C‑61/19, Orange România, 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/liste.jsf?num=C-61/19&language=en here]).</ref> This seems to give information a more substantive and functional role. Moreover, the information has to be presented in a manner which is clearly distinguishable from other matters, like terms and conditions. For more information, see the commentary on [[Article 7 GDPR|Article 7(2) GDPR]].<br />
<br />
==== Specific ====<br />
In accordance with the principle of transparency from [[Article 5 GDPR|Article 5(1)(b) GDPR]] consent must be provided for specific and legitimate purposes. While consent to the processing of personal data can be given for one or multiple purposes at the same time,<ref>Recital 32 sentences 5, 6 GDPR.</ref> intentions and limitations must be formulated as precisely as possible. A blanket consent to all kinds of purposes is therefore not valid. For more information, see the commentary on [[Article 6 GDPR|Article 6(1)(a) GDPR]].<br />
<br />
==== Unambiguous ====<br />
Consent must be given unambiguously in the form of clear and affirmative action. Silence, pre-ticked boxes or inactivity should not constitute consent.<ref>Recital 32 sentence 3 GDPR.</ref> This has been stressed through recent case law by the Court of Justice in terms of cookies, where a pre-checked checkbox which the user must deselect to refuse his or her consent cannot demonstrate active behaviour.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/1 here]).</ref><br />
<br />
==== Withdrawal ====<br />
Consent can be withdrawn at any time. Withdrawing of consent shall be as easy as it was giving it. The controller has to inform the data subject on the possibility to withdraw consent prior to the processing. For further information, see the commentary on [[Article 7 GDPR|Article 7(3) GDPR]].<br />
<br />
==== Capacity ====<br />
Generally, consent must be given directly by the data subject or a nominated representative.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).</ref> In the case of minors, the ability to consent is based on the individual cognitive faculty of the data subject.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin number 67 (C.H. Beck 2020); ''Ernst'', Die Einwilligung nach der Datenschutzgrundverordnung, in Zeitschrift für Datenschutz, 03/07, (2017), p. 111.</ref> In the online context, [[Article 8 GDPR|Article 8(1) GDPR]] provides a minimum age of 16, while member states may not reduce that age limit to below 13.<br />
<br />
==== Explicit Consent ====<br />
The more qualified form of ‘explicit’ consent is required within several other provisions across the GDPR. For more detailed information, check out the commentary on [[Article 9 GDPR|Article 9(2)(a) GDPR]], [[Article 22 GDPR|Article 22(2)(c) GDPR]] and [[Article 49 GDPR|Article 49(1) GDPR]].<br />
<br />
===(12) Personal Data Breach ===<br />
A ‘personal data breach’ can be considered as any security incident regarding personal data. In this regard, the breach has to concern the processing personal data (for ‘personal data’ see Article 4(1) GDPR, for ‘processing’ Article 4(2) GDPR). Although the transmission and storage of data are explicitly highlighted, any type of processing the concerned data is sufficient.<ref>Wording: “otherwise processed”.</ref><br />
<br />
Moreover, it requires a security breach within that processing. Such are any failures of technical or organizational safeguards implemented by the controller according to [[Article 32 GDPR]]. These failures can either be caused through targeted attacks from other parties or through mishandling of personal data through the controller or persons instructed, such as its employees.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).</ref> Some examples for security breaches are:<br />
<br />
* Hacking-Attacks on systems involving personal data,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Missing access protection to data storages or buildings,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Sending data to unintended recipients,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Employees unlawfully distributing data to third parties,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 180 (Nomos 2018).</ref><br />
* Accidentally publishing or leaking data on website,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
* Loss of physical data carriers,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Destruction of data storing infrastructure,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unrestorable encryption through Ransomware,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unlocked storage of employee files.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
<br />
As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
<br />
The notion of a personal data breach becomes especially relevant in terms of notification and communication obligations for controllers to data subjects and DPAs according to [[Article 33 GDPR|Articles 33, 34 GDPR]]. In this regard, the EDPB can issue guidelines, recommendations and best practices for handling personal data breaches, [[Article 70 GDPR|Article 70(1)(g)(h) GDPR]].<ref>See EDPB, Guidelines 01/2021 on Examples regarding Data Breach Notification, 14 January 2021 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf here]).</ref><br />
<br />
===(13) Genetic Data===<br />
‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions the growth, metabolism, appearance, diseases or alike, both already existent or entering in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin numbers 106, 108 (Carl Heymanns Verlag 2018).</ref> Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analyses.<br />
<br />
The classification as genetic data is becoming relevant in terms of [[Article 9 GDPR|Article 9(1) GDPR]], that only allows its processing under strict requirements.<ref>Additionally, member states may maintain or introduce further conditions and limitations for the processing of genetic data, [[Article 9 GDPR|Article 9(4) GDPR]].</ref> This is due to the sensitive character of such data, that allows a unique identification of the data subject and at the same time reveals personal health data<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017).</ref> on them and biological relatives.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017); ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 182 (Nomos 2018).</ref> Especially in terms of heritage diseases, genetic data therefore carries a high risk of abuse in terms of employment and insurances.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 96 (C.H. Beck 2018).</ref><br />
<br />
===(14) Biometric Data===<br />
‘Biometric data’ means data referring to the physical, physiological and behavioural characteristics of a natural person obtained from specific technical processing allowing for an unique identification. While this generally includes any means to analyse and measure the characteristics of humans<ref>Usually through the creation of referential patterns that are than compared with the data subject later for unique identification, see ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 183 (Nomos 2018).</ref> the technical processing and unique identification requirements place higher burdens.<br />
<br />
The definition itself gives facial images and fingerprints,<ref>Also called 'Dactyloscopic data'.</ref> as examples for biometric data. However, the requirement for specific technical processing, ensures that simple pictures or even passport photographs shall not be considered as such.<ref>Recital 51 GDPR, “''The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person''”.</ref> It is the further processing, for example through the application of facial recognition software, that renders the extracted patterns as biometric data. In this regard, also IRIS Scanners, DNS-Comparisons, voice or gait pattern analyses,<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> as well as typing patterns or even handwritten signatures<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 111 (Carl Heymanns Verlag 2018).</ref> may be considered as biometric data.<br />
<br />
Other data, that does not allow an unique identification, such as the body size or blood type, are not biometric data.<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> However, these could then fall under the definition of ‘health data’ that offers similar protection like for biometric data, according to [[Article 9 GDPR|Article 9(1) GDPR]].<br />
<br />
===(15) Data Concerning Health===<br />
‘Data concerning health’, or simply ‘health data’, means any data related to the physical or mental health of a natural person, especially the procurement of health care services revealing such information. According to Recital 35 GDPR, these include all data referring to the health status of the data subject from the past, current or future. In this regard, any information on diseases, risks, disabilities, their treatment and medical histories of a particular natural person explicitly qualify as health data.<ref>Recital 35 sentence 2 GDPR.</ref><br />
<br />
Other examples for health data are information about:<br />
<br />
* Addictions to alcohol, drugs or medications as well as the participation in self-help groups<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
* Hospitalizations, sick notes and sick payments<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
* Information the physical or mental invalidity to work<ref>''Petri'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 15 GDPR, margin number 5 (NOMOS 2019).</ref><br />
* Data from health- or fitness apps on eating or movement patterns, for example from wearables and smartphones<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 118 (Carl Heymanns Verlag 2018).</ref><br />
<br />
The notion of health data is therefore broader than ‘medicinal data’.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 59 (Deutscher Fachverlag 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018).</ref> Furthermore, it strongly overlaps with the notions of genetic and biometric data.<ref>See Recital 35, “''Personal data concerning health should include […] information derived from the testing or examination of one’s body, substances, such as genetic and biological samples''”.</ref> in order to allow a seamless high protection within the scope of [[Article 9 GDPR]].<ref>However, in some cases (e.g. the public health sector) sensitive data can be necessary to be processed without the data subjects consent, see Recital 54 GDPR.</ref> For further information, check the commentary on [[Article 9 GDPR]].<br />
<br />
===(16) Main Establishment===<br />
If a controller or a processor have establishments in more than one member states, identifying its ‘main establishment’ is the first step to recognize the lead supervisory authority in a cross-border procedure.<br />
<br />
It is the role of a data protection authorities to properly define the main establishment of an entity according to objective criteria and subsequently determine the corresponding lead authority.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> The burden of proof falls on controllers and processors to demonstrate to the relevant supervisory authorities where the relevant processing decisions are taken and implemented. In this regard, however, the WP29 stressed that the GDPR does not permit ‘forum shopping’ and conclusions cannot be based solely on statements by the organisation under review. The supervisory authorities can rebut the controller’s analysis based on an objective examination of the relevant facts, requesting further information where required.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
==== Main Establishment of a Controller ====<br />
As a general rule, the main establishment of a controller should be the place of its central administration in the Union, or in other words, “''the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented''”.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 5 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> <br />
<br />
Recital 22 GDPR defines an establishment as ‘the effective and real exercise of activity through stable arrangements’. The legal form of such arrangements is irrelevant. According to the CJEU, an establishment depends on “''both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned.''”<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 29 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref> In this regard, already the presence of a single representative can constitute a stable arrangement when acting with a sufficient degree of stability and the necessary equipment to provide the specific services in the member states concerned.<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 30 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref><br />
<br />
If a controller’s main establishment is not the place of its central administration in the EU, it is necessary to determine the establishment based on where the effective and real exercise of main decisions on the purposes and means of processing take place.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 6 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> It should depend neither on the place of the processing nor the use of technical means and technologies for processing personal data or processing activities. Instead, to determine the controller’s main establishment the WP29 developed several guiding questions:<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
* Where are decisions about the purposes and means of the finally signed off’?<br />
* Where are decisions about business activities that involve data processing made?<br />
* Where does the power to have decisions implemented effectively lie?<br />
* Where is the Director with responsibility for cross border processing located?<br />
* Where is the controller or processor registered as a company?<br />
<br />
A supervisory authority may require from a controller to present additional information proving that its main establishment fulfils criteria envisaged in the GDPR.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
==== Main Establishment of a Processor ====<br />
Similarly to the rules for controllers, the main establishment of a processor located in multiple member states shall also be the place of its central administration. <br />
<br />
However, when there is no central administration in the Union, the rules applying to processors are formulated differently. In such cases, the main establishment of a processor is where the main processing activities take place in a Union’s establishment subject to the obligations under GDPR. This implies that the processing of personal data does not need to be carried out by the relevant establishment itself but only in in the context of its activities within the scope of the GDPR.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 235 (Oxford University Press 2020).</ref> The meaning of ‘the context of activities’ has already been specified by the CJEU, building on a broad definition of ‘establishment’ and clarifying that already the intention of a member state’s establishment to provide advertisement space for a third country undertaking is processing of personal data in the context of the Union’s establishment.<ref>CJEU, C-131/12, Google Spain, 13 May 2014, margin number 55 (available [https://curia.europa.eu/juris/liste.jsf?num=c-131/12 here]).</ref><br />
<br />
Following up on the CJEU judgement, the WP29 specified that EU law may apply to data processing activities of controllers or processors established outside the EU “''even if the local establishment is not actually taking any role in the data processing itself''”.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref> This reasoning can be based on an “''inextricable link''” between activities of an establishment in the EU and data processing by a non-EU controller or processor.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref><br />
<br />
==== '''Cases Involving Both the Controller and the Processor''' ====<br />
Recital 36 GDPR explains that “''in cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment''”. For further information determining the lead and concerned supervisory authorities in cross border contexts see the commentary on [[Article 56 GDPR]] and Article 4(22)-(23) GDPR.<br />
<br />
===(17) Representative===<br />
Representative are any legal or natural persons established in the union designated by a controller or processor, in accordance with [[Article 27 GDPR]]. They are not to be confused with the executive organ of the controller, but they serve as contact persons for data subjects and DPAs towards controllers and processors that are only outside the Union.<br />
<br />
In this regard, the notion of a representative becomes relevant in terms actors that are falling within the territorial scope of the GDPR without having any establishment within the union (see [[Article 3 GDPR|Article 3(2) GDPR]] and Recital 80 GDPR).<ref>According to which the GDPR applies to controllers outside the union processing personal data on subjects within the union ''“related to the offering of goods or services“'' or ''“the monitoring of their behaviour”''.</ref> In such cases, the representative becomes the addressee of enforcement proceedings in the event of non-compliance of the respective controller or processor.<ref>Recital 80 sentence 6 GDPR.</ref> This way, the representative prevents such actors only established in a third country, to become “infeasible” for data subjects and DPA’s within the union. Examples for representatives may therefore be designated employees, lawyers or whole firms established within the union.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 106 (C.H. Beck 2018).</ref><br />
<br />
The designation shall happen in a written form, containing the a mandate to represent the controller or processor under the obligations from the GDPR.<ref>Recital 80 sentences 3, 4 GDPR.</ref> At the same time. the designation of a representative does not exclude the responsibility or liability of the controller or processor themselves.<ref>Recital 80 sentence 5 GDPR.</ref> However, it remains unclear how entities not providing a representative may be tackled by the GDPR.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 204 (Nomos 2018).</ref> In this regard, especially public authorities are excluded from the designation of a representative.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 52 (C.H. Beck 2017).</ref><br />
<br />
===(18) Enterprise===<br />
An enterprise’ means any natural or legal person, partnerships or associations regularly engaged in economic activities. With this definition, the GDPR introduced a broad concept of the enterprise, irrespective of their size, legal form or interests pursued.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 127 (Carl Heymanns Verlag 2018).</ref><br />
<br />
An enterprise requires a regular engagement in economic activities, which means activities intended for a long-term and not only in an occasional manner.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 129 (Carl Heymanns Verlag 2018).</ref> Excluded from such activities are completely familiarly or personal activities (household activities, see also the commentary on [[Article 2 GDPR|Article 2(c) GDPR]]).<br />
<br />
While the English version of the GDPR distinguishes between the ‘enterprise’ and ‘undertaking’ the translation to other languages merged them into a single notion.<ref>For example, in German ("Unternehmen"), in French ("entreprise") and in Spanish ("empresa").]</ref> This causes controversy around the assessment of fines according to [[Article 83 GDPR]], which by English language refers to the term of undertaking in accordance with [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:12012E/TXT&from=EN#page=42 Articles 101, 102 TFEU] and thereby not to the definition of Article 4(18) GDPR.<ref>See Recital 150 sentence 3 GDPR.</ref> In any case, the notion is to be understood broadly when enforcing actions or determining fines on a particular entity (see commentary on [[Article 83 GDPR]]).<br />
<br />
===(19) Group of Undertakings===<br />
A group of undertakings consists of a leading (“controlling”) entity and one or more thereof dependent (“controlled”) entities.<ref>Recital 37 sentence 1 GDPR.</ref> The central characteristic for a group of undertakings is therefore, that one entity exerts a dominant influence over the others, for example be through ownership or financial participation.<ref>Recital 37 sentence 1 GDPR.</ref> This is usually the case between a holding company and their subsidiaries.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 58 (C.H. Beck 2017).</ref><br />
<br />
In this regard, the mere possibility of exercising control over the the other entity is sufficient, a real exercise of such control is not necessary.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 76 (ottoschmidt 2018).</ref> As long as one entity has the factual power to assert its will over the other entities,<ref>For example through to have personal data protection rules implemented; see Recital 37 sentence 1 GDPR.</ref> they qualify as group of undertakings.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 78 (ottoschmidt 2018).</ref><br />
<br />
Already two undertakings are sufficient to form a group.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 80 (ottoschmidt 2018).</ref> However, a controller giving mere instructions to a processor regarding the processing of personal data does not qualify as a group of undertakings.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 221 (Nomos 2018).</ref><br />
<br />
The classification as a group of undertakings becomes relevant for several provision across the GDPR, such as <br />
<br />
- The joint designation of a Data Protection Officer ([[Article 37 GDPR|Article 37(2) GDPR]]),<br />
<br />
- The formulation of binding corporate rules (Article 4(20) GDPR, [[Article 47 GDPR]]),<br />
<br />
- The data transfer for internal administrative purposes (Recital 48 GDPR in conjunction with [[Article 6 GDPR|Article 6(1)(f) GDPR]]),<ref>''Pötters/Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 70 (Deutscher Fachverlag 2018), as “''group privilege light''”.</ref> and<br />
<br />
- The determination of the main establishment (Article 4(16) GDPR, Recital 22 GDPR).<br />
<br />
However, the notion is to be distinguished from a ‘group of enterprises engaged in a joint economic activity’ also used throughout several provisions across the GDPR. These consist on separate and independent entities, which do not exercise control over each other<ref>''Feiler, Forgó,'' EU-DSGVO, Article 4 GDPR, margin number 49 (Verlag Österreich 2017).</ref> and therefore cannot designate a single Data Protection Officer or rely on internal administrative data transfers.<br />
<br />
===(20) Binding Corporate Rules===<br />
Binding corporate rules (short ‘BCR’) are ‘personal data protection policies’ formulated by controllers or processor established on the union for transfers of personal data outside the union within their group. In this regard, binding corporate rules constitute a legal basis to transfer personal data to third countries without an adequacy decision.<ref>See [[Article 46 GDPR|Article 46(2)(b) GDPR]].</ref> However, they only serve for for intra-corporate transfers, i.e. between entities of the concerned group of undertakings or enterprises. Transfers to entities outside of these groups are not covered by binding corporate rules.<br />
<br />
However, there are additional requirements regarding the content of such rules. According to Recital 110 GDPR, these must include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data. The rules are therefore to be previously approved by the national DPA concerned.<ref>[[Article 47 GDPR|Article 47(1) GDPR]].</ref> Furthermore, the Commission may specify the format and procedures for the exchange of information for these rules.<ref>[[Article 47 GDPR|Article 47(3) GDPR]].</ref> For more information on the requirements and the approval procedure of binding corporate rules, see therefore the commentary on [[Article 47 GDPR]].<br />
<br />
===(21) Supervisory Authority===<br />
Supervisory Authorities or ‘Data Protection Authorities’ (DPAs) are independent public authorities responsible for monitoring the application of the GDPR. The idea is, that such authorities protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union.<ref>See Article 51(1) GDPR, Recital 117 sentence 1 GDPR and [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(3) ECFR] “''Compliance with these rules shall be subject to control by an independent authority''”.</ref><br />
<br />
Member states can decide to provide only one or multiple DPAs, to reflect their constitutional, organisational and administrative structure.<ref>Recital 117 GDPR.</ref> In this regard, DPAs must be public authorities<ref>Private actors cannot serve as DPAs, see ''Polenz'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 21 GDPR, margin number 1 (NOMOS 2019).</ref> established on the national level.<ref>The European Data Protection Supervisor (EDPS) is therefore not a DPA in terms of the GDPR, see [https://gdprhub.eu/Article%2051%20GDPR Article 51(1) GDPR] and [https://gdprhub.eu/Article%2068%20GDPR Article 68(3) GDPR] “''The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor''”. It is adhering to its own [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018R1725&from=en Regulation (EU) 2018/1725], functionally overseeing and advising the European Institutions for their compliance with data protection rules.</ref> And while each supervisory authority should be competent on the territory of its own member state,<ref>Recital 112 sentence 1 GDPR.</ref> they shall cooperate, mutually assisting each other and conduct joint operations with to foster a consistent application of the GDPR in cross border contexts (see [[Article 60 GDPR|Articles 60-63 GDPR]] and Recital 123 GDPR).<br />
<br />
In this regard, DPAs may act independent (see [[Article 52 GDPR]]) and shall be provided with several competencies ([[Article 55 GDPR|Articles 55, 56 GDPR]]), Tasks ([[Article 57 GDPR]]) and Powers ([[Article 58 GDPR]]). For further information, see the particular commentary to the above mentioned articles.<br />
<br />
===(22) Supervisory authority concerned===<br />
Qualifying a supervisory authority as ‘concerned’ can result out of three situations as laid out by Article 4(22) GDPR:<br />
<br />
* For a controller or processor, when it is established in a member state of a supervisory authority,<br />
* for a data subject, when it is residing in the member state of a supervisory authority (likely) substantially affected by the processing of personal data, or<br />
* where a complaint has been lodged with that supervisory authority.<br />
<br />
==== Controller/Processor Establishment ====<br />
The DPA is concerned when a controller or processor is established in its jurisdiction. This implies any effective and real exercise of activity through stable arrangements,<ref>See Recital 22 sentence 2 GDPR.</ref> independent of the form of such arrangements of an actual branch or subsidiary within the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 275 (Oxford University Press 2020).</ref> This broad understanding is fostered by the EUCJ, including any real and effective activity exercised through stable agreements independently of their formalistic approach as an establishment.<ref>EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.</ref><br />
<br />
==== (Likely) Substantially Affection of the Data Subject ====<br />
A substantial affection, although not being further specified from the GDPR, indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 276 (Oxford University Press 2020).</ref> On the contrary, already the likelihood of such is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.<ref>For a list of relevant criteria, see ''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).</ref> In any case, this requires the data subject to reside in the member state of the DPA and therefore to have at least stable links to the state as its permanent habitual center.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).</ref> <br />
<br />
==== Filing a Complaint with the Supervisory Authority ====<br />
Filing a complaint with a particular supervisory authority qualifies them as a ‘concerned’ authority. Since complaints can also be fined with DPAs different from where the data subject resides,<ref>See Recital 124 sentence 3 GDPR.</ref> the supervisory authority can even be concerned without the data subject having a residence within the EU or any (likely) substantial affection. For further information on filing a complaint with a supervisory authority, see the commentary on [[Article 77 GDPR]].<br />
<br />
===(23) Cross-border processing===<br />
Cross border processing means any processing taking place in the<br />
<br />
(a) in the context of the activities of establishments of a controller or processor in multiple member states, or<br />
<br />
(b) in the context of a single establishment of a controller or processor in the union with (likely) substantially affects to data subjects in more than one member state.<br />
<br />
Both conditions are therefore attached to the notion of ‘establishment’, whereas (a) requires the controller or processor to have multiple establishments within different member states of the union, while (b) only requires the controller or processor to have an establishment within a single member state of the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 282 (Oxford University Press 2020).</ref> In both cases, however, the controller or processor needs to be established in at least one member state.<ref>''Polenz'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 23 GDPR, margin number 1 (NOMOS 2019).</ref><br />
<br />
==== Processing in the Context of Establishments within Multiple Member States ====<br />
The notion of establishment is again to be interpreded broadly. It is any effective and real exercise of activities through stable arrangements,<ref>See Recital 22 sentence 2 GDPR.</ref> independent of the formal declarations as a branch or subsidiary within the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 282 (Oxford University Press 2020); and again EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.</ref> Furthermore, the processing is not required to be carried out within the establishment itself, but can also happen in the context of its activities. If the establishment in the EU is not directly processing the personal data, an extricable link between the activities of the establishment and the processing is already sufficient.<ref>Google, EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 53, 56; EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 25.</ref> Only remote links to the processing in question may not involve another entity and therefore not form a ‘cross border processing’.<ref>For example, some commercial activity may be too far removed from the processing of personal data by an entity to bring the data processing non-EU entity within the scope of EU data protection law, see ''EDPB'', Guidelines 3/2018 on the territorial scope of the GDPR, 12 November 2019, p. 7 f. (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref><br />
<br />
==== Processing (likely) to Substantially Affect Data Subject in multiple Member States ====<br />
A substantial affection, again indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 284 (Oxford University Press 2020).</ref> In this regard, already the likelihood of such is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.<ref>For a list of relevant criteria, see ''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 285 (Oxford University Press 2020).</ref><br />
<br />
The evaluation of across border processing is relevant for determining the competent lead supervisory authority in situations where the processing would concern such of multiple member states. In this regard, it contributes to the ‘one-stop-shop’-principle, which is further described within the commentary of [[Article 56 GDPR]].<br />
<br />
===(24) Relevant and reasoned objection===<br />
The ‘relevant and reasoned objection’ refers to situations, in which a supervisory authority concerned<ref>See Article 4(22) GDPR.</ref> objects to a decision draft provided by a lead supervisory authority<ref>See [[Article 56 GDPR]].</ref> in terms of a cross-border-processing context.<ref>See Article 4(23) GDPR.</ref> When such objection is exercised by the supervisory authorities concerned, the lead supervisory authority can either follow the objection or submit the matter to the EDPB (see [[Article 60 GDPR|Article 60(4) GDPR]], [[Article 65 GDPR|Article 65(4) GDPR]]).<br />
<br />
In order to not overload the EDPB with submissions that are not well founded or based on weak arguments delaying decisions,<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 289 f. (Oxford University Press 2020).</ref> Article 4(24) GDPR introduces a threshold to such objections being ‘relevant’ and ‘reasoned’. In this regard, they have to show an infringement or compliance of the GDPR in opposition to the lead authorities decision draft clearly demonstrating the significance of the risks posed by the draft decision.<ref>Especially regarding the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union, see Article 4(24) GDPR.</ref><br />
<br />
An objection is therefore only relevant and reasoned, when it refers to the concrete draft of a decision and does not only contain concerns of general nature.<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 4 24 GDPR, margin number 1 (C.H. Beck 2020).</ref> This requires to provide the exact legal reasons for the objection,<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 4 24 GDPR, margin number 1 (C.H. Beck 2020).</ref> clearly stating the the non-negligible risks for the data subjects or the free flow of personal data entailed.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 290 (Oxford University Press 2020).</ref><br />
<br />
The notion of relevant and reasoned objection is to be further developed by the EDPB.<ref>See Recital 124 Sentence 4 GDPR and EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-092020-relevant-and-reasoned-objection-under_en here]).</ref> For further information on the EDPB’s criteria and procedure on elaborating a relevant and reasoned objection, check the commentary on [[Article 60 GDPR|Articles 60, 65 GDPR]].<br />
<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20048Article 4 GDPR2021-09-23T14:21:27Z<p>JS: Uploading Article 4(23) GDPR</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
* '''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).</ref><br />
* '''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
* '''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
* '''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
* '''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
* '''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
* '''Alteration''' (changes to the form or content of data), such as corrections, pseudonymisation or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
* '''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
* '''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
* '''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
* '''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company. <br />
* '''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
* '''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
* '''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
* '''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
* '''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
* '''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
* '''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> <br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of Processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref><br />
<br />
Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.<ref>Recital 30 sentence 1 GDPR.</ref> as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore<br />
<br />
* Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref><br />
* Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref><br />
* Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref><br />
<br />
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR, such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref><br />
<br />
===(5) Pseudonymisation===<br />
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.<br />
<br />
Examples for the pseudonymisation of personal data include:<br />
<br />
* Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref><br />
* Encryption or hashing of data<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref><br />
* Pixelation of video materials<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref> <br />
<br />
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> And while some scholars argue for a ‘subjective anonymisation’,<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).</ref> the party undertaking the pseudonymisation is typically able to reassign the data subject.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).</ref><br />
<br />
In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref><br />
<br />
* Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]])<br />
* Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]])<br />
* Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]])<br />
* Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]])<br />
* Implementing Data Protection by Design and Default ([[Article 25 GDPR]])<br />
<br />
===(6) Filing System===<br />
The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]). It is complementing the approach of technological neutrality followed by the GDPR.<br />
<br />
A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> This is already satisfied, when personal data on a particular person is retrievable.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'', C-25/17, Johovan Todistajat, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref><br />
<br />
The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref><br />
<br />
Other examples are:<br />
<br />
* Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Saved letter-correspondence with customers<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Covid-19-Guest-Lists sorted by date<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref><br />
<br />
===(7) Controller===<br />
The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> In this regard, it the controller is to be distinguished from the processor, which is explained in further detail in Article 4(8) GDPR.<br />
<br />
The responsibilities of the controller are defined in [[Article 24 GDPR]]. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR.<br />
<br />
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co controllership’, the entities have to determine their respective responsibilities for the processing within an agreement, according to [[Article 26 GDPR]]. Important, however, is the factual influence on the processing of the personal data,<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> see also Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref><br />
<br />
For example, a joint controllership is assumed between<br />
<br />
* Search-Engines-Operators and the websites of which information is structured, presented and complemented with advertisements within search results<ref>''CJEU'', C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 here]), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.</ref><br />
* Facebook and Administrators of Fan Pages on its social network<ref>''CJEU'', C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available [https://curia.europa.eu/juris/liste.jsf?num=C-210/16 here]), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.</ref><br />
* Facebook and Websites that integrated a ‘Like Button’<ref>''CJEU'', C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-40/17 here]), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.</ref><br />
<br />
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller according to [[Article 26 GDPR]]. For further information see the commentary on that provision.<br />
<br />
===(8) Processor===<br />
The processor is the next entity facing obligations from several provisions across the GDPR, complementing the concept of the controller explained in Article 4(7) GDPR. Any natural, legal person, public authority, agency or body that processes personal data on behalf of the controller qualifies as a processor.<br />
<br />
The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref> Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref><br />
<br />
Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> developed some examples as references for controller-processor relationships:<br />
<br />
* Outsourcing of Callcenters for Customer Communications<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Outsourcing of Mail Services<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Cloud Hosting and Grid Computing<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]) and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).]</ref><br />
* A Separated Entity Specialized in Data Processing within a Group of Companies<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref><br />
<br />
When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of special relevance is [[Article 28 GDPR]], that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on [[Article 28 GDPR|Article 28(3) GDPR]].<br />
<br />
A special form of the processor is the ‘sub processor’ engaged by the processor, which requires another processing agreement and authorisation through the controller. For further information see the commentary on [[Article 28 GDPR|Article 28(2),(4) GDPR]].<br />
<br />
===(9) Recipient===<br />
Another entity defined in the GDPR is the recipient. The notion of the recipient is kept very broadly, i.e. any party which personal data is disclosed to, independently of whether it is a third party or not. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]).</ref><br />
<br />
The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,<ref>More precise, [[Article 13 GDPR|Article 13(1)(e) GDPR]], [[Article 14 GDPR|Article 14(1)(e) GDPR]], [[Article 15 GDPR|Article 15(1)(c) GDPR]].</ref> the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind is, that the controller whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).</ref><br />
<br />
In this regard, it is discussed, whether a processor is also a recipient. One the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.<ref>See Article 4(8) GDPR and Article 4(10) GDPR.</ref> However, the concept of the recipient is completely independent of that of the third-party.<ref>See Article 4(9) GDPR, “whether a third party or not“.</ref> With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, [[Article 28 GDPR]] does not relieve the controller to inform the data subjects about its processors as recipients according to [[Article 13 GDPR|Article 13 to 15 GDPR]].<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).</ref><br />
<br />
Not considered a recipient are, on the other hand, particular units within a company, such as the staff council or dependent establishments of the controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).</ref> The wording of the provision suggests that the entity requires a particular degree of sovereignty in order to count as recipient.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 57 (C.H. Beck 2018) and ''Regenhardt'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 156 (Nomos 2018).</ref> Units that are inseparable part of the internal structure of the controller are therefore not to classify as recipients.<br />
<br />
Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref><br />
<br />
===(10) Third Party===<br />
The concept of a third party complements the previously defined entities. It constitutes a negative delimitation, as any person different from the data subject, controller, processor or any other person authorized to process personal data by the controller. Its notion becomes mainly relevant in terms of evaluating of interests, such as in Article 6 (1)(f) GDPR.<ref>See also [[Article 13 GDPR|Article 13(1)(d) GDPR]], [[Article 14 GDPR|Article 14(2)(b) GDPR]].</ref><br />
<br />
Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).</ref> Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).</ref> Similarly, internal staff of the controller is not a third party, unless the employee uses personal data for own purposes outside of the employment context.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).</ref> In this regard, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).</ref><br />
<br />
===(11) Consent===<br />
Consent is the first legal basis mentioned in Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data. It can be given either by a written, electronic or an oral statement.<ref>Recital 32 sentence 1 GDPR.</ref> Examples are ticking a box or actively choosing technical settings that indicate the data subject’s acceptance of the proposed processing of his or her personal data.<ref>Recital 32 sentence 2 GDPR.</ref><br />
<br />
The notion of consent within the GDPR is different from its constitutional equivalent in [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(2) ECFR]. Consent in the GDPR is neither a waiver of fundamental rights, nor a justification for interferences with fundamental rights.<ref>''Klement'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 7 GDPR, margin number 18 (NOMOS 2019).</ref> Rather, it should be seen as an exception from the general prohibition of processing of personal data under [[Article 6 GDPR|Article 6(1) GDPR]].<br />
<br />
To ensure that consent is not only a legal fiction, it requires additional and cumulative criteria, regulated within its definition and complemented through [[Article 7 GDPR]]. In order for consent to be valid, it has to be freely given, informed, specific and unambiguous. It is the controller’s duty to demonstrate that the data subject has given such consent to the processing of his or her personal data.<ref>[[Article 7 GDPR|Article 7(1) GDPR]], Recital 42 sentence 1 GDPR.</ref><br />
<br />
==== Freely Given ====<br />
Consent is only freely given, where there is no clear imbalance between the data subject and the controller.<ref>Recital 43 sentence 1 GDPR.</ref> Also, it shall not be considered freely given when it is conditional on the processing of personal data that is not necessary for the performance of the service.<ref>Recital 43 sentence 2 GDPR.</ref><br />
<br />
Examples where asymmetries of power and bundled consent usually occur are:<br />
<br />
* Relationships with Public Authorities<ref>Recital 43 sentence 1 GDPR, and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 98 (Carl Heymanns Verlag 2018).</ref><br />
* Employer-Employee-Relationships<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 71 (C.H. Beck 2018).</ref><br />
* Use of Major Digital Services with limited alternatives<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 73, 76 (C.H. Beck 2018).</ref><br />
<br />
==== Informed ====<br />
Consent needs to be provided in an intelligible and easily accessible form, using clear and plain language. Data Subjects must be able to understand the circumstances of processing of their personal data to estimate the consequences and implications of giving their consent.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin numbers 2, 5 (C.H. Beck 2020).</ref> According to recent case-law of the Court of Justice, the information shall also be “digested” by the data subject.<ref>EUCJ, C‑61/19, Orange România, 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/liste.jsf?num=C-61/19&language=en here]).</ref> This seems to give information a more substantive and functional role. Moreover, the information has to be presented in a manner which is clearly distinguishable from other matters, like terms and conditions. For more information, see the commentary on [[Article 7 GDPR|Article 7(2) GDPR]].<br />
<br />
==== Specific ====<br />
In accordance with the principle of transparency from [[Article 5 GDPR|Article 5(1)(b) GDPR]] consent must be provided for specific and legitimate purposes. While consent to the processing of personal data can be given for one or multiple purposes at the same time,<ref>Recital 32 sentences 5, 6 GDPR.</ref> intentions and limitations must be formulated as precisely as possible. A blanket consent to all kinds of purposes is therefore not valid. For more information, see the commentary on [[Article 6 GDPR|Article 6(1)(a) GDPR]].<br />
<br />
==== Unambiguous ====<br />
Consent must be given unambiguously in the form of clear and affirmative action. Silence, pre-ticked boxes or inactivity should not constitute consent.<ref>Recital 32 sentence 3 GDPR.</ref> This has been stressed through recent case law by the Court of Justice in terms of cookies, where a pre-checked checkbox which the user must deselect to refuse his or her consent cannot demonstrate active behaviour.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/1 here]).</ref><br />
<br />
==== Withdrawal ====<br />
Consent can be withdrawn at any time. Withdrawing of consent shall be as easy as it was giving it. The controller has to inform the data subject on the possibility to withdraw consent prior to the processing. For further information, see the commentary on [[Article 7 GDPR|Article 7(3) GDPR]].<br />
<br />
==== Capacity ====<br />
Generally, consent must be given directly by the data subject or a nominated representative.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).</ref> In the case of minors, the ability to consent is based on the individual cognitive faculty of the data subject.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin number 67 (C.H. Beck 2020); ''Ernst'', Die Einwilligung nach der Datenschutzgrundverordnung, in Zeitschrift für Datenschutz, 03/07, (2017), p. 111.</ref> In the online context, [[Article 8 GDPR|Article 8(1) GDPR]] provides a minimum age of 16, while member states may not reduce that age limit to below 13.<br />
<br />
==== Explicit Consent ====<br />
The more qualified form of ‘explicit’ consent is required within several other provisions across the GDPR. For more detailed information, check out the commentary on [[Article 9 GDPR|Article 9(2)(a) GDPR]], [[Article 22 GDPR|Article 22(2)(c) GDPR]] and [[Article 49 GDPR|Article 49(1) GDPR]].<br />
<br />
===(12) Personal Data Breach ===<br />
A ‘personal data breach’ can be considered as any security incident regarding personal data. In this regard, the breach has to concern the processing personal data (for ‘personal data’ see Article 4(1) GDPR, for ‘processing’ Article 4(2) GDPR). Although the transmission and storage of data are explicitly highlighted, any type of processing the concerned data is sufficient.<ref>Wording: “otherwise processed”.</ref><br />
<br />
Moreover, it requires a security breach within that processing. Such are any failures of technical or organizational safeguards implemented by the controller according to [[Article 32 GDPR]]. These failures can either be caused through targeted attacks from other parties or through mishandling of personal data through the controller or persons instructed, such as its employees.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).</ref> Some examples for security breaches are:<br />
<br />
* Hacking-Attacks on systems involving personal data,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Missing access protection to data storages or buildings,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Sending data to unintended recipients,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Employees unlawfully distributing data to third parties,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 180 (Nomos 2018).</ref><br />
* Accidentally publishing or leaking data on website,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
* Loss of physical data carriers,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Destruction of data storing infrastructure,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unrestorable encryption through Ransomware,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unlocked storage of employee files.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
<br />
As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
<br />
The notion of a personal data breach becomes especially relevant in terms of notification and communication obligations for controllers to data subjects and DPAs according to [[Article 33 GDPR|Articles 33, 34 GDPR]]. In this regard, the EDPB can issue guidelines, recommendations and best practices for handling personal data breaches, [[Article 70 GDPR|Article 70(1)(g)(h) GDPR]].<ref>See EDPB, Guidelines 01/2021 on Examples regarding Data Breach Notification, 14 January 2021 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf here]).</ref><br />
<br />
===(13) Genetic Data===<br />
‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions the growth, metabolism, appearance, diseases or alike, both already existent or entering in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin numbers 106, 108 (Carl Heymanns Verlag 2018).</ref> Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analyses.<br />
<br />
The classification as genetic data is becoming relevant in terms of [[Article 9 GDPR|Article 9(1) GDPR]], that only allows its processing under strict requirements.<ref>Additionally, member states may maintain or introduce further conditions and limitations for the processing of genetic data, [[Article 9 GDPR|Article 9(4) GDPR]].</ref> This is due to the sensitive character of such data, that allows a unique identification of the data subject and at the same time reveals personal health data<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017).</ref> on them and biological relatives.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017); ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 182 (Nomos 2018).</ref> Especially in terms of heritage diseases, genetic data therefore carries a high risk of abuse in terms of employment and insurances.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 96 (C.H. Beck 2018).</ref><br />
<br />
===(14) Biometric Data===<br />
‘Biometric data’ means data referring to the physical, physiological and behavioural characteristics of a natural person obtained from specific technical processing allowing for an unique identification. While this generally includes any means to analyse and measure the characteristics of humans<ref>Usually through the creation of referential patterns that are than compared with the data subject later for unique identification, see ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 183 (Nomos 2018).</ref> the technical processing and unique identification requirements place higher burdens.<br />
<br />
The definition itself gives facial images and fingerprints,<ref>Also called 'Dactyloscopic data'.</ref> as examples for biometric data. However, the requirement for specific technical processing, ensures that simple pictures or even passport photographs shall not be considered as such.<ref>Recital 51 GDPR, “''The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person''”.</ref> It is the further processing, for example through the application of facial recognition software, that renders the extracted patterns as biometric data. In this regard, also IRIS Scanners, DNS-Comparisons, voice or gait pattern analyses,<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> as well as typing patterns or even handwritten signatures<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 111 (Carl Heymanns Verlag 2018).</ref> may be considered as biometric data.<br />
<br />
Other data, that does not allow an unique identification, such as the body size or blood type, are not biometric data.<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> However, these could then fall under the definition of ‘health data’ that offers similar protection like for biometric data, according to [[Article 9 GDPR|Article 9(1) GDPR]].<br />
<br />
===(15) Data Concerning Health===<br />
‘Data concerning health’, or simply ‘health data’, means any data related to the physical or mental health of a natural person, especially the procurement of health care services revealing such information. According to Recital 35 GDPR, these include all data referring to the health status of the data subject from the past, current or future. In this regard, any information on diseases, risks, disabilities, their treatment and medical histories of a particular natural person explicitly qualify as health data.<ref>Recital 35 sentence 2 GDPR.</ref><br />
<br />
Other examples for health data are information about:<br />
<br />
* Addictions to alcohol, drugs or medications as well as the participation in self-help groups<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
* Hospitalizations, sick notes and sick payments<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
* Information the physical or mental invalidity to work<ref>''Petri'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 15 GDPR, margin number 5 (NOMOS 2019).</ref><br />
* Data from health- or fitness apps on eating or movement patterns, for example from wearables and smartphones<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 118 (Carl Heymanns Verlag 2018).</ref><br />
<br />
The notion of health data is therefore broader than ‘medicinal data’.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 59 (Deutscher Fachverlag 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018).</ref> Furthermore, it strongly overlaps with the notions of genetic and biometric data.<ref>See Recital 35, “''Personal data concerning health should include […] information derived from the testing or examination of one’s body, substances, such as genetic and biological samples''”.</ref> in order to allow a seamless high protection within the scope of [[Article 9 GDPR]].<ref>However, in some cases (e.g. the public health sector) sensitive data can be necessary to be processed without the data subjects consent, see Recital 54 GDPR.</ref> For further information, check the commentary on [[Article 9 GDPR]].<br />
<br />
===(16) Main Establishment===<br />
If a controller or a processor have establishments in more than one member states, identifying its ‘main establishment’ is the first step to recognize the lead supervisory authority in a cross-border procedure.<br />
<br />
It is the role of a data protection authorities to properly define the main establishment of an entity according to objective criteria and subsequently determine the corresponding lead authority.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> The burden of proof falls on controllers and processors to demonstrate to the relevant supervisory authorities where the relevant processing decisions are taken and implemented. In this regard, however, the WP29 stressed that the GDPR does not permit ‘forum shopping’ and conclusions cannot be based solely on statements by the organisation under review. The supervisory authorities can rebut the controller’s analysis based on an objective examination of the relevant facts, requesting further information where required.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
==== Main Establishment of a Controller ====<br />
As a general rule, the main establishment of a controller should be the place of its central administration in the Union, or in other words, “''the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented''”.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 5 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> <br />
<br />
Recital 22 GDPR defines an establishment as ‘the effective and real exercise of activity through stable arrangements’. The legal form of such arrangements is irrelevant. According to the CJEU, an establishment depends on “''both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned.''”<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 29 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref> In this regard, already the presence of a single representative can constitute a stable arrangement when acting with a sufficient degree of stability and the necessary equipment to provide the specific services in the member states concerned.<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 30 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref><br />
<br />
If a controller’s main establishment is not the place of its central administration in the EU, it is necessary to determine the establishment based on where the effective and real exercise of main decisions on the purposes and means of processing take place.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 6 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> It should depend neither on the place of the processing nor the use of technical means and technologies for processing personal data or processing activities. Instead, to determine the controller’s main establishment the WP29 developed several guiding questions:<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
* Where are decisions about the purposes and means of the finally signed off’?<br />
* Where are decisions about business activities that involve data processing made?<br />
* Where does the power to have decisions implemented effectively lie?<br />
* Where is the Director with responsibility for cross border processing located?<br />
* Where is the controller or processor registered as a company?<br />
<br />
A supervisory authority may require from a controller to present additional information proving that its main establishment fulfils criteria envisaged in the GDPR.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
==== Main Establishment of a Processor ====<br />
Similarly to the rules for controllers, the main establishment of a processor located in multiple member states shall also be the place of its central administration. <br />
<br />
However, when there is no central administration in the Union, the rules applying to processors are formulated differently. In such cases, the main establishment of a processor is where the main processing activities take place in a Union’s establishment subject to the obligations under GDPR. This implies that the processing of personal data does not need to be carried out by the relevant establishment itself but only in in the context of its activities within the scope of the GDPR.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 235 (Oxford University Press 2020).</ref> The meaning of ‘the context of activities’ has already been specified by the CJEU, building on a broad definition of ‘establishment’ and clarifying that already the intention of a member state’s establishment to provide advertisement space for a third country undertaking is processing of personal data in the context of the Union’s establishment.<ref>CJEU, C-131/12, Google Spain, 13 May 2014, margin number 55 (available [https://curia.europa.eu/juris/liste.jsf?num=c-131/12 here]).</ref><br />
<br />
Following up on the CJEU judgement, the WP29 specified that EU law may apply to data processing activities of controllers or processors established outside the EU “''even if the local establishment is not actually taking any role in the data processing itself''”.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref> This reasoning can be based on an “''inextricable link''” between activities of an establishment in the EU and data processing by a non-EU controller or processor.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref><br />
<br />
==== '''Cases Involving Both the Controller and the Processor''' ====<br />
Recital 36 GDPR explains that “''in cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment''”. For further information determining the lead and concerned supervisory authorities in cross border contexts see the commentary on [[Article 56 GDPR]] and Article 4(22)-(23) GDPR.<br />
<br />
===(17) Representative===<br />
Representative are any legal or natural persons established in the union designated by a controller or processor, in accordance with [[Article 27 GDPR]]. They are not to be confused with the executive organ of the controller, but they serve as contact persons for data subjects and DPAs towards controllers and processors that are only outside the Union.<br />
<br />
In this regard, the notion of a representative becomes relevant in terms actors that are falling within the territorial scope of the GDPR without having any establishment within the union (see [[Article 3 GDPR|Article 3(2) GDPR]] and Recital 80 GDPR).<ref>According to which the GDPR applies to controllers outside the union processing personal data on subjects within the union ''“related to the offering of goods or services“'' or ''“the monitoring of their behaviour”''.</ref> In such cases, the representative becomes the addressee of enforcement proceedings in the event of non-compliance of the respective controller or processor.<ref>Recital 80 sentence 6 GDPR.</ref> This way, the representative prevents such actors only established in a third country, to become “infeasible” for data subjects and DPA’s within the union. Examples for representatives may therefore be designated employees, lawyers or whole firms established within the union.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 106 (C.H. Beck 2018).</ref><br />
<br />
The designation shall happen in a written form, containing the a mandate to represent the controller or processor under the obligations from the GDPR.<ref>Recital 80 sentences 3, 4 GDPR.</ref> At the same time. the designation of a representative does not exclude the responsibility or liability of the controller or processor themselves.<ref>Recital 80 sentence 5 GDPR.</ref> However, it remains unclear how entities not providing a representative may be tackled by the GDPR.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 204 (Nomos 2018).</ref> In this regard, especially public authorities are excluded from the designation of a representative.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 52 (C.H. Beck 2017).</ref><br />
<br />
===(18) Enterprise===<br />
An enterprise’ means any natural or legal person, partnerships or associations regularly engaged in economic activities. With this definition, the GDPR introduced a broad concept of the enterprise, irrespective of their size, legal form or interests pursued.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 127 (Carl Heymanns Verlag 2018).</ref><br />
<br />
An enterprise requires a regular engagement in economic activities, which means activities intended for a long-term and not only in an occasional manner.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 129 (Carl Heymanns Verlag 2018).</ref> Excluded from such activities are completely familiarly or personal activities (household activities, see also the commentary on [[Article 2 GDPR|Article 2(c) GDPR]]).<br />
<br />
While the English version of the GDPR distinguishes between the ‘enterprise’ and ‘undertaking’ the translation to other languages merged them into a single notion.<ref>For example, in German ("Unternehmen"), in French ("entreprise") and in Spanish ("empresa").]</ref> This causes controversy around the assessment of fines according to [[Article 83 GDPR]], which by English language refers to the term of undertaking in accordance with [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:12012E/TXT&from=EN#page=42 Articles 101, 102 TFEU] and thereby not to the definition of Article 4(18) GDPR.<ref>See Recital 150 sentence 3 GDPR.</ref> In any case, the notion is to be understood broadly when enforcing actions or determining fines on a particular entity (see commentary on [[Article 83 GDPR]]).<br />
<br />
===(19) Group of Undertakings===<br />
A group of undertakings consists of a leading (“controlling”) entity and one or more thereof dependent (“controlled”) entities.<ref>Recital 37 sentence 1 GDPR.</ref> The central characteristic for a group of undertakings is therefore, that one entity exerts a dominant influence over the others, for example be through ownership or financial participation.<ref>Recital 37 sentence 1 GDPR.</ref> This is usually the case between a holding company and their subsidiaries.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 58 (C.H. Beck 2017).</ref><br />
<br />
In this regard, the mere possibility of exercising control over the the other entity is sufficient, a real exercise of such control is not necessary.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 76 (ottoschmidt 2018).</ref> As long as one entity has the factual power to assert its will over the other entities,<ref>For example through to have personal data protection rules implemented; see Recital 37 sentence 1 GDPR.</ref> they qualify as group of undertakings.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 78 (ottoschmidt 2018).</ref><br />
<br />
Already two undertakings are sufficient to form a group.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 80 (ottoschmidt 2018).</ref> However, a controller giving mere instructions to a processor regarding the processing of personal data does not qualify as a group of undertakings.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 221 (Nomos 2018).</ref><br />
<br />
The classification as a group of undertakings becomes relevant for several provision across the GDPR, such as <br />
<br />
- The joint designation of a Data Protection Officer ([[Article 37 GDPR|Article 37(2) GDPR]]),<br />
<br />
- The formulation of binding corporate rules (Article 4(20) GDPR, [[Article 47 GDPR]]),<br />
<br />
- The data transfer for internal administrative purposes (Recital 48 GDPR in conjunction with [[Article 6 GDPR|Article 6(1)(f) GDPR]]),<ref>''Pötters/Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 70 (Deutscher Fachverlag 2018), as “''group privilege light''”.</ref> and<br />
<br />
- The determination of the main establishment (Article 4(16) GDPR, Recital 22 GDPR).<br />
<br />
However, the notion is to be distinguished from a ‘group of enterprises engaged in a joint economic activity’ also used throughout several provisions across the GDPR. These consist on separate and independent entities, which do not exercise control over each other<ref>''Feiler, Forgó,'' EU-DSGVO, Article 4 GDPR, margin number 49 (Verlag Österreich 2017).</ref> and therefore cannot designate a single Data Protection Officer or rely on internal administrative data transfers.<br />
<br />
===(20) Binding Corporate Rules===<br />
Binding corporate rules (short ‘BCR’) are ‘personal data protection policies’ formulated by controllers or processor established on the union for transfers of personal data outside the union within their group. In this regard, binding corporate rules constitute a legal basis to transfer personal data to third countries without an adequacy decision.<ref>See [[Article 46 GDPR|Article 46(2)(b) GDPR]].</ref> However, they only serve for for intra-corporate transfers, i.e. between entities of the concerned group of undertakings or enterprises. Transfers to entities outside of these groups are not covered by binding corporate rules.<br />
<br />
However, there are additional requirements regarding the content of such rules. According to Recital 110 GDPR, these must include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data. The rules are therefore to be previously approved by the national DPA concerned.<ref>[[Article 47 GDPR|Article 47(1) GDPR]].</ref> Furthermore, the Commission may specify the format and procedures for the exchange of information for these rules.<ref>[[Article 47 GDPR|Article 47(3) GDPR]].</ref> For more information on the requirements and the approval procedure of binding corporate rules, see therefore the commentary on [[Article 47 GDPR]].<br />
<br />
===(21) Supervisory Authority===<br />
Supervisory Authorities or ‘Data Protection Authorities’ (DPAs) are independent public authorities responsible for monitoring the application of the GDPR. The idea is, that such authorities protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union.<ref>See Article 51(1) GDPR, Recital 117 sentence 1 GDPR and [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(3) ECFR] “''Compliance with these rules shall be subject to control by an independent authority''”.</ref><br />
<br />
Member states can decide to provide only one or multiple DPAs, to reflect their constitutional, organisational and administrative structure.<ref>Recital 117 GDPR.</ref> In this regard, DPAs must be public authorities<ref>Private actors cannot serve as DPAs, see ''Polenz'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 21 GDPR, margin number 1 (NOMOS 2019).</ref> established on the national level.<ref>The European Data Protection Supervisor (EDPS) is therefore not a DPA in terms of the GDPR, see [https://gdprhub.eu/Article%2051%20GDPR Article 51(1) GDPR] and [https://gdprhub.eu/Article%2068%20GDPR Article 68(3) GDPR] “''The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor''”. It is adhering to its own [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018R1725&from=en Regulation (EU) 2018/1725], functionally overseeing and advising the European Institutions for their compliance with data protection rules.</ref> And while each supervisory authority should be competent on the territory of its own member state,<ref>Recital 112 sentence 1 GDPR.</ref> they shall cooperate, mutually assisting each other and conduct joint operations with to foster a consistent application of the GDPR in cross border contexts (see [[Article 60 GDPR|Articles 60-63 GDPR]] and Recital 123 GDPR).<br />
<br />
In this regard, DPAs may act independent (see [[Article 52 GDPR]]) and shall be provided with several competencies ([[Article 55 GDPR|Articles 55, 56 GDPR]]), Tasks ([[Article 57 GDPR]]) and Powers ([[Article 58 GDPR]]). For further information, see the particular commentary to the above mentioned articles.<br />
<br />
===(22) Supervisory authority concerned===<br />
Qualifying a supervisory authority as ‘concerned’ can result out of three situations as laid out by Article 4(22) GDPR:<br />
<br />
* For a controller or processor, when it is established in a member state of a supervisory authority,<br />
* for a data subject, when it is residing in the member state of a supervisory authority (likely) substantially affected by the processing of personal data, or<br />
* where a complaint has been lodged with that supervisory authority.<br />
<br />
==== Controller/Processor Establishment ====<br />
The DPA is concerned when a controller or processor is established in its jurisdiction. This implies any effective and real exercise of activity through stable arrangements,<ref>See Recital 22 sentence 2 GDPR.</ref> independent of the form of such arrangements of an actual branch or subsidiary within the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 275 (Oxford University Press 2020).</ref> This broad understanding is fostered by the EUCJ, including any real and effective activity exercised through stable agreements independently of their formalistic approach as an establishment.<ref>EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.</ref><br />
<br />
==== (Likely) Substantially Affection of the Data Subject ====<br />
A substantial affection, although not being further specified from the GDPR, indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 276 (Oxford University Press 2020).</ref> On the contrary, already the likelihood of such is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.<ref>For a list of relevant criteria, see ''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).</ref> In any case, this requires the data subject to reside in the member state of the DPA and therefore to have at least stable links to the state as its permanent habitual center.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).</ref> <br />
<br />
==== Filing a Complaint with the Supervisory Authority ====<br />
Filing a complaint with a particular supervisory authority qualifies them as a ‘concerned’ authority. Since complaints can also be fined with DPAs different from where the data subject resides,<ref>See Recital 124 sentence 3 GDPR.</ref> the supervisory authority can even be concerned without the data subject having a residence within the EU or any (likely) substantial affection. For further information on filing a complaint with a supervisory authority, see the commentary on [[Article 77 GDPR]].<br />
<br />
===(23) Cross-border processing===<br />
Cross border processing means any processing taking place in the<br />
<br />
(a) in the context of the activities of establishments of a controller or processor in multiple member states, or<br />
<br />
(b) in the context of a single establishment of a controller or processor in the union with (likely) substantially affects to data subjects in more than one member state.<br />
<br />
Both conditions are therefore attached to the notion of ‘establishment’, whereas (a) requires the controller or processor to have multiple establishments within different member states of the union, while (b) only requires the controller or processor to have an establishment within a single member state of the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 282 (Oxford University Press 2020).</ref> In both cases, however, the controller or processor needs to be established in at least one member state.<ref>''Polenz'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 23 GDPR, margin number 1 (NOMOS 2019).</ref><br />
<br />
==== Processing in the Context of Establishments within Multiple Member States ====<br />
The notion of establishment is again to be interpreded broadly. It is any effective and real exercise of activities through stable arrangements,<ref>See Recital 22 sentence 2 GDPR.</ref> independent of the formal declarations as a branch or subsidiary within the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 282 (Oxford University Press 2020); and again EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.</ref> Furthermore, the processing is not required to be carried out within the establishment itself, but can also happen in the context of its activities. If the establishment in the EU is not directly processing the personal data, an extricable link between the activities of the establishment and the processing is already sufficient.<ref>Google, EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 53, 56; EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 25.</ref> Only remote links to the processing in question may not involve another entity and therefore not form a ‘cross border processing’.<ref>For example, some commercial activity may be too far removed from the processing of personal data by an entity to bring the data processing non-EU entity within the scope of EU data protection law, see ''EDPB'', Guidelines 3/2018 on the territorial scope of the GDPR, 12 November 2019, p. 7 f. (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref><br />
<br />
==== Processing (likely) to Substantially Affect Data Subject in multiple Member States ====<br />
A substantial affection, again indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 284 (Oxford University Press 2020).</ref> In this regard, already the likelihood of such is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.<ref>For a list of relevant criteria, see ''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 285 (Oxford University Press 2020).</ref><br />
<br />
The evaluation of across border processing is relevant for determining the competent lead supervisory authority in situations where the processing would concern such of multiple member states. In this regard, it contributes to the ‘one-stop-shop’-principle, which is further described within the commentary of [[Article 56 GDPR]].<br />
<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20046Article 4 GDPR2021-09-23T14:15:47Z<p>JS: Uploading Article 4(22) GDPR</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
* '''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).</ref><br />
* '''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
* '''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
* '''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
* '''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
* '''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
* '''Alteration''' (changes to the form or content of data), such as corrections, pseudonymisation or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
* '''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
* '''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
* '''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
* '''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company. <br />
* '''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
* '''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
* '''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
* '''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
* '''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
* '''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
* '''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> <br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of Processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref><br />
<br />
Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.<ref>Recital 30 sentence 1 GDPR.</ref> as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore<br />
<br />
* Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref><br />
* Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref><br />
* Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref><br />
<br />
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR, such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref><br />
<br />
===(5) Pseudonymisation===<br />
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.<br />
<br />
Examples for the pseudonymisation of personal data include:<br />
<br />
* Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref><br />
* Encryption or hashing of data<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref><br />
* Pixelation of video materials<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref> <br />
<br />
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> And while some scholars argue for a ‘subjective anonymisation’,<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).</ref> the party undertaking the pseudonymisation is typically able to reassign the data subject.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).</ref><br />
<br />
In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref><br />
<br />
* Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]])<br />
* Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]])<br />
* Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]])<br />
* Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]])<br />
* Implementing Data Protection by Design and Default ([[Article 25 GDPR]])<br />
<br />
===(6) Filing System===<br />
The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]). It is complementing the approach of technological neutrality followed by the GDPR.<br />
<br />
A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> This is already satisfied, when personal data on a particular person is retrievable.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'', C-25/17, Johovan Todistajat, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref><br />
<br />
The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref><br />
<br />
Other examples are:<br />
<br />
* Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Saved letter-correspondence with customers<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Covid-19-Guest-Lists sorted by date<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref><br />
<br />
===(7) Controller===<br />
The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> In this regard, it the controller is to be distinguished from the processor, which is explained in further detail in Article 4(8) GDPR.<br />
<br />
The responsibilities of the controller are defined in [[Article 24 GDPR]]. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR.<br />
<br />
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co controllership’, the entities have to determine their respective responsibilities for the processing within an agreement, according to [[Article 26 GDPR]]. Important, however, is the factual influence on the processing of the personal data,<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> see also Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref><br />
<br />
For example, a joint controllership is assumed between<br />
<br />
* Search-Engines-Operators and the websites of which information is structured, presented and complemented with advertisements within search results<ref>''CJEU'', C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 here]), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.</ref><br />
* Facebook and Administrators of Fan Pages on its social network<ref>''CJEU'', C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available [https://curia.europa.eu/juris/liste.jsf?num=C-210/16 here]), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.</ref><br />
* Facebook and Websites that integrated a ‘Like Button’<ref>''CJEU'', C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-40/17 here]), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.</ref><br />
<br />
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller according to [[Article 26 GDPR]]. For further information see the commentary on that provision.<br />
<br />
===(8) Processor===<br />
The processor is the next entity facing obligations from several provisions across the GDPR, complementing the concept of the controller explained in Article 4(7) GDPR. Any natural, legal person, public authority, agency or body that processes personal data on behalf of the controller qualifies as a processor.<br />
<br />
The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref> Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref><br />
<br />
Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> developed some examples as references for controller-processor relationships:<br />
<br />
* Outsourcing of Callcenters for Customer Communications<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Outsourcing of Mail Services<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Cloud Hosting and Grid Computing<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]) and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).]</ref><br />
* A Separated Entity Specialized in Data Processing within a Group of Companies<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref><br />
<br />
When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of special relevance is [[Article 28 GDPR]], that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on [[Article 28 GDPR|Article 28(3) GDPR]].<br />
<br />
A special form of the processor is the ‘sub processor’ engaged by the processor, which requires another processing agreement and authorisation through the controller. For further information see the commentary on [[Article 28 GDPR|Article 28(2),(4) GDPR]].<br />
<br />
===(9) Recipient===<br />
Another entity defined in the GDPR is the recipient. The notion of the recipient is kept very broadly, i.e. any party which personal data is disclosed to, independently of whether it is a third party or not. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]).</ref><br />
<br />
The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,<ref>More precise, [[Article 13 GDPR|Article 13(1)(e) GDPR]], [[Article 14 GDPR|Article 14(1)(e) GDPR]], [[Article 15 GDPR|Article 15(1)(c) GDPR]].</ref> the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind is, that the controller whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).</ref><br />
<br />
In this regard, it is discussed, whether a processor is also a recipient. One the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.<ref>See Article 4(8) GDPR and Article 4(10) GDPR.</ref> However, the concept of the recipient is completely independent of that of the third-party.<ref>See Article 4(9) GDPR, “whether a third party or not“.</ref> With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, [[Article 28 GDPR]] does not relieve the controller to inform the data subjects about its processors as recipients according to [[Article 13 GDPR|Article 13 to 15 GDPR]].<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).</ref><br />
<br />
Not considered a recipient are, on the other hand, particular units within a company, such as the staff council or dependent establishments of the controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).</ref> The wording of the provision suggests that the entity requires a particular degree of sovereignty in order to count as recipient.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 57 (C.H. Beck 2018) and ''Regenhardt'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 156 (Nomos 2018).</ref> Units that are inseparable part of the internal structure of the controller are therefore not to classify as recipients.<br />
<br />
Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref><br />
<br />
===(10) Third Party===<br />
The concept of a third party complements the previously defined entities. It constitutes a negative delimitation, as any person different from the data subject, controller, processor or any other person authorized to process personal data by the controller. Its notion becomes mainly relevant in terms of evaluating of interests, such as in Article 6 (1)(f) GDPR.<ref>See also [[Article 13 GDPR|Article 13(1)(d) GDPR]], [[Article 14 GDPR|Article 14(2)(b) GDPR]].</ref><br />
<br />
Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).</ref> Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).</ref> Similarly, internal staff of the controller is not a third party, unless the employee uses personal data for own purposes outside of the employment context.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).</ref> In this regard, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).</ref><br />
<br />
===(11) Consent===<br />
Consent is the first legal basis mentioned in Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data. It can be given either by a written, electronic or an oral statement.<ref>Recital 32 sentence 1 GDPR.</ref> Examples are ticking a box or actively choosing technical settings that indicate the data subject’s acceptance of the proposed processing of his or her personal data.<ref>Recital 32 sentence 2 GDPR.</ref><br />
<br />
The notion of consent within the GDPR is different from its constitutional equivalent in [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(2) ECFR]. Consent in the GDPR is neither a waiver of fundamental rights, nor a justification for interferences with fundamental rights.<ref>''Klement'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 7 GDPR, margin number 18 (NOMOS 2019).</ref> Rather, it should be seen as an exception from the general prohibition of processing of personal data under [[Article 6 GDPR|Article 6(1) GDPR]].<br />
<br />
To ensure that consent is not only a legal fiction, it requires additional and cumulative criteria, regulated within its definition and complemented through [[Article 7 GDPR]]. In order for consent to be valid, it has to be freely given, informed, specific and unambiguous. It is the controller’s duty to demonstrate that the data subject has given such consent to the processing of his or her personal data.<ref>[[Article 7 GDPR|Article 7(1) GDPR]], Recital 42 sentence 1 GDPR.</ref><br />
<br />
==== Freely Given ====<br />
Consent is only freely given, where there is no clear imbalance between the data subject and the controller.<ref>Recital 43 sentence 1 GDPR.</ref> Also, it shall not be considered freely given when it is conditional on the processing of personal data that is not necessary for the performance of the service.<ref>Recital 43 sentence 2 GDPR.</ref><br />
<br />
Examples where asymmetries of power and bundled consent usually occur are:<br />
<br />
* Relationships with Public Authorities<ref>Recital 43 sentence 1 GDPR, and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 98 (Carl Heymanns Verlag 2018).</ref><br />
* Employer-Employee-Relationships<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 71 (C.H. Beck 2018).</ref><br />
* Use of Major Digital Services with limited alternatives<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 73, 76 (C.H. Beck 2018).</ref><br />
<br />
==== Informed ====<br />
Consent needs to be provided in an intelligible and easily accessible form, using clear and plain language. Data Subjects must be able to understand the circumstances of processing of their personal data to estimate the consequences and implications of giving their consent.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin numbers 2, 5 (C.H. Beck 2020).</ref> According to recent case-law of the Court of Justice, the information shall also be “digested” by the data subject.<ref>EUCJ, C‑61/19, Orange România, 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/liste.jsf?num=C-61/19&language=en here]).</ref> This seems to give information a more substantive and functional role. Moreover, the information has to be presented in a manner which is clearly distinguishable from other matters, like terms and conditions. For more information, see the commentary on [[Article 7 GDPR|Article 7(2) GDPR]].<br />
<br />
==== Specific ====<br />
In accordance with the principle of transparency from [[Article 5 GDPR|Article 5(1)(b) GDPR]] consent must be provided for specific and legitimate purposes. While consent to the processing of personal data can be given for one or multiple purposes at the same time,<ref>Recital 32 sentences 5, 6 GDPR.</ref> intentions and limitations must be formulated as precisely as possible. A blanket consent to all kinds of purposes is therefore not valid. For more information, see the commentary on [[Article 6 GDPR|Article 6(1)(a) GDPR]].<br />
<br />
==== Unambiguous ====<br />
Consent must be given unambiguously in the form of clear and affirmative action. Silence, pre-ticked boxes or inactivity should not constitute consent.<ref>Recital 32 sentence 3 GDPR.</ref> This has been stressed through recent case law by the Court of Justice in terms of cookies, where a pre-checked checkbox which the user must deselect to refuse his or her consent cannot demonstrate active behaviour.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/1 here]).</ref><br />
<br />
==== Withdrawal ====<br />
Consent can be withdrawn at any time. Withdrawing of consent shall be as easy as it was giving it. The controller has to inform the data subject on the possibility to withdraw consent prior to the processing. For further information, see the commentary on [[Article 7 GDPR|Article 7(3) GDPR]].<br />
<br />
==== Capacity ====<br />
Generally, consent must be given directly by the data subject or a nominated representative.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).</ref> In the case of minors, the ability to consent is based on the individual cognitive faculty of the data subject.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin number 67 (C.H. Beck 2020); ''Ernst'', Die Einwilligung nach der Datenschutzgrundverordnung, in Zeitschrift für Datenschutz, 03/07, (2017), p. 111.</ref> In the online context, [[Article 8 GDPR|Article 8(1) GDPR]] provides a minimum age of 16, while member states may not reduce that age limit to below 13.<br />
<br />
==== Explicit Consent ====<br />
The more qualified form of ‘explicit’ consent is required within several other provisions across the GDPR. For more detailed information, check out the commentary on [[Article 9 GDPR|Article 9(2)(a) GDPR]], [[Article 22 GDPR|Article 22(2)(c) GDPR]] and [[Article 49 GDPR|Article 49(1) GDPR]].<br />
<br />
===(12) Personal Data Breach ===<br />
A ‘personal data breach’ can be considered as any security incident regarding personal data. In this regard, the breach has to concern the processing personal data (for ‘personal data’ see Article 4(1) GDPR, for ‘processing’ Article 4(2) GDPR). Although the transmission and storage of data are explicitly highlighted, any type of processing the concerned data is sufficient.<ref>Wording: “otherwise processed”.</ref><br />
<br />
Moreover, it requires a security breach within that processing. Such are any failures of technical or organizational safeguards implemented by the controller according to [[Article 32 GDPR]]. These failures can either be caused through targeted attacks from other parties or through mishandling of personal data through the controller or persons instructed, such as its employees.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).</ref> Some examples for security breaches are:<br />
<br />
* Hacking-Attacks on systems involving personal data,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Missing access protection to data storages or buildings,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Sending data to unintended recipients,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Employees unlawfully distributing data to third parties,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 180 (Nomos 2018).</ref><br />
* Accidentally publishing or leaking data on website,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
* Loss of physical data carriers,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Destruction of data storing infrastructure,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unrestorable encryption through Ransomware,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unlocked storage of employee files.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
<br />
As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
<br />
The notion of a personal data breach becomes especially relevant in terms of notification and communication obligations for controllers to data subjects and DPAs according to [[Article 33 GDPR|Articles 33, 34 GDPR]]. In this regard, the EDPB can issue guidelines, recommendations and best practices for handling personal data breaches, [[Article 70 GDPR|Article 70(1)(g)(h) GDPR]].<ref>See EDPB, Guidelines 01/2021 on Examples regarding Data Breach Notification, 14 January 2021 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf here]).</ref><br />
<br />
===(13) Genetic Data===<br />
‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions the growth, metabolism, appearance, diseases or alike, both already existent or entering in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin numbers 106, 108 (Carl Heymanns Verlag 2018).</ref> Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analyses.<br />
<br />
The classification as genetic data is becoming relevant in terms of [[Article 9 GDPR|Article 9(1) GDPR]], that only allows its processing under strict requirements.<ref>Additionally, member states may maintain or introduce further conditions and limitations for the processing of genetic data, [[Article 9 GDPR|Article 9(4) GDPR]].</ref> This is due to the sensitive character of such data, that allows a unique identification of the data subject and at the same time reveals personal health data<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017).</ref> on them and biological relatives.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017); ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 182 (Nomos 2018).</ref> Especially in terms of heritage diseases, genetic data therefore carries a high risk of abuse in terms of employment and insurances.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 96 (C.H. Beck 2018).</ref><br />
<br />
===(14) Biometric Data===<br />
‘Biometric data’ means data referring to the physical, physiological and behavioural characteristics of a natural person obtained from specific technical processing allowing for an unique identification. While this generally includes any means to analyse and measure the characteristics of humans<ref>Usually through the creation of referential patterns that are than compared with the data subject later for unique identification, see ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 183 (Nomos 2018).</ref> the technical processing and unique identification requirements place higher burdens.<br />
<br />
The definition itself gives facial images and fingerprints,<ref>Also called 'Dactyloscopic data'.</ref> as examples for biometric data. However, the requirement for specific technical processing, ensures that simple pictures or even passport photographs shall not be considered as such.<ref>Recital 51 GDPR, “''The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person''”.</ref> It is the further processing, for example through the application of facial recognition software, that renders the extracted patterns as biometric data. In this regard, also IRIS Scanners, DNS-Comparisons, voice or gait pattern analyses,<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> as well as typing patterns or even handwritten signatures<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 111 (Carl Heymanns Verlag 2018).</ref> may be considered as biometric data.<br />
<br />
Other data, that does not allow an unique identification, such as the body size or blood type, are not biometric data.<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> However, these could then fall under the definition of ‘health data’ that offers similar protection like for biometric data, according to [[Article 9 GDPR|Article 9(1) GDPR]].<br />
<br />
===(15) Data Concerning Health===<br />
‘Data concerning health’, or simply ‘health data’, means any data related to the physical or mental health of a natural person, especially the procurement of health care services revealing such information. According to Recital 35 GDPR, these include all data referring to the health status of the data subject from the past, current or future. In this regard, any information on diseases, risks, disabilities, their treatment and medical histories of a particular natural person explicitly qualify as health data.<ref>Recital 35 sentence 2 GDPR.</ref><br />
<br />
Other examples for health data are information about:<br />
<br />
* Addictions to alcohol, drugs or medications as well as the participation in self-help groups<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
* Hospitalizations, sick notes and sick payments<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
* Information the physical or mental invalidity to work<ref>''Petri'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 15 GDPR, margin number 5 (NOMOS 2019).</ref><br />
* Data from health- or fitness apps on eating or movement patterns, for example from wearables and smartphones<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 118 (Carl Heymanns Verlag 2018).</ref><br />
<br />
The notion of health data is therefore broader than ‘medicinal data’.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 59 (Deutscher Fachverlag 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018).</ref> Furthermore, it strongly overlaps with the notions of genetic and biometric data.<ref>See Recital 35, “''Personal data concerning health should include […] information derived from the testing or examination of one’s body, substances, such as genetic and biological samples''”.</ref> in order to allow a seamless high protection within the scope of [[Article 9 GDPR]].<ref>However, in some cases (e.g. the public health sector) sensitive data can be necessary to be processed without the data subjects consent, see Recital 54 GDPR.</ref> For further information, check the commentary on [[Article 9 GDPR]].<br />
<br />
===(16) Main Establishment===<br />
If a controller or a processor have establishments in more than one member states, identifying its ‘main establishment’ is the first step to recognize the lead supervisory authority in a cross-border procedure.<br />
<br />
It is the role of a data protection authorities to properly define the main establishment of an entity according to objective criteria and subsequently determine the corresponding lead authority.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> The burden of proof falls on controllers and processors to demonstrate to the relevant supervisory authorities where the relevant processing decisions are taken and implemented. In this regard, however, the WP29 stressed that the GDPR does not permit ‘forum shopping’ and conclusions cannot be based solely on statements by the organisation under review. The supervisory authorities can rebut the controller’s analysis based on an objective examination of the relevant facts, requesting further information where required.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
==== Main Establishment of a Controller ====<br />
As a general rule, the main establishment of a controller should be the place of its central administration in the Union, or in other words, “''the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented''”.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 5 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> <br />
<br />
Recital 22 GDPR defines an establishment as ‘the effective and real exercise of activity through stable arrangements’. The legal form of such arrangements is irrelevant. According to the CJEU, an establishment depends on “''both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned.''”<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 29 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref> In this regard, already the presence of a single representative can constitute a stable arrangement when acting with a sufficient degree of stability and the necessary equipment to provide the specific services in the member states concerned.<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 30 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref><br />
<br />
If a controller’s main establishment is not the place of its central administration in the EU, it is necessary to determine the establishment based on where the effective and real exercise of main decisions on the purposes and means of processing take place.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 6 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> It should depend neither on the place of the processing nor the use of technical means and technologies for processing personal data or processing activities. Instead, to determine the controller’s main establishment the WP29 developed several guiding questions:<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
* Where are decisions about the purposes and means of the finally signed off’?<br />
* Where are decisions about business activities that involve data processing made?<br />
* Where does the power to have decisions implemented effectively lie?<br />
* Where is the Director with responsibility for cross border processing located?<br />
* Where is the controller or processor registered as a company?<br />
<br />
A supervisory authority may require from a controller to present additional information proving that its main establishment fulfils criteria envisaged in the GDPR.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
==== Main Establishment of a Processor ====<br />
Similarly to the rules for controllers, the main establishment of a processor located in multiple member states shall also be the place of its central administration. <br />
<br />
However, when there is no central administration in the Union, the rules applying to processors are formulated differently. In such cases, the main establishment of a processor is where the main processing activities take place in a Union’s establishment subject to the obligations under GDPR. This implies that the processing of personal data does not need to be carried out by the relevant establishment itself but only in in the context of its activities within the scope of the GDPR.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 235 (Oxford University Press 2020).</ref> The meaning of ‘the context of activities’ has already been specified by the CJEU, building on a broad definition of ‘establishment’ and clarifying that already the intention of a member state’s establishment to provide advertisement space for a third country undertaking is processing of personal data in the context of the Union’s establishment.<ref>CJEU, C-131/12, Google Spain, 13 May 2014, margin number 55 (available [https://curia.europa.eu/juris/liste.jsf?num=c-131/12 here]).</ref><br />
<br />
Following up on the CJEU judgement, the WP29 specified that EU law may apply to data processing activities of controllers or processors established outside the EU “''even if the local establishment is not actually taking any role in the data processing itself''”.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref> This reasoning can be based on an “''inextricable link''” between activities of an establishment in the EU and data processing by a non-EU controller or processor.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref><br />
<br />
==== '''Cases Involving Both the Controller and the Processor''' ====<br />
Recital 36 GDPR explains that “''in cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment''”. For further information determining the lead and concerned supervisory authorities in cross border contexts see the commentary on [[Article 56 GDPR]] and Article 4(22)-(23) GDPR.<br />
<br />
===(17) Representative===<br />
Representative are any legal or natural persons established in the union designated by a controller or processor, in accordance with [[Article 27 GDPR]]. They are not to be confused with the executive organ of the controller, but they serve as contact persons for data subjects and DPAs towards controllers and processors that are only outside the Union.<br />
<br />
In this regard, the notion of a representative becomes relevant in terms actors that are falling within the territorial scope of the GDPR without having any establishment within the union (see [[Article 3 GDPR|Article 3(2) GDPR]] and Recital 80 GDPR).<ref>According to which the GDPR applies to controllers outside the union processing personal data on subjects within the union ''“related to the offering of goods or services“'' or ''“the monitoring of their behaviour”''.</ref> In such cases, the representative becomes the addressee of enforcement proceedings in the event of non-compliance of the respective controller or processor.<ref>Recital 80 sentence 6 GDPR.</ref> This way, the representative prevents such actors only established in a third country, to become “infeasible” for data subjects and DPA’s within the union. Examples for representatives may therefore be designated employees, lawyers or whole firms established within the union.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 106 (C.H. Beck 2018).</ref><br />
<br />
The designation shall happen in a written form, containing the a mandate to represent the controller or processor under the obligations from the GDPR.<ref>Recital 80 sentences 3, 4 GDPR.</ref> At the same time. the designation of a representative does not exclude the responsibility or liability of the controller or processor themselves.<ref>Recital 80 sentence 5 GDPR.</ref> However, it remains unclear how entities not providing a representative may be tackled by the GDPR.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 204 (Nomos 2018).</ref> In this regard, especially public authorities are excluded from the designation of a representative.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 52 (C.H. Beck 2017).</ref><br />
<br />
===(18) Enterprise===<br />
An enterprise’ means any natural or legal person, partnerships or associations regularly engaged in economic activities. With this definition, the GDPR introduced a broad concept of the enterprise, irrespective of their size, legal form or interests pursued.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 127 (Carl Heymanns Verlag 2018).</ref><br />
<br />
An enterprise requires a regular engagement in economic activities, which means activities intended for a long-term and not only in an occasional manner.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 129 (Carl Heymanns Verlag 2018).</ref> Excluded from such activities are completely familiarly or personal activities (household activities, see also the commentary on [[Article 2 GDPR|Article 2(c) GDPR]]).<br />
<br />
While the English version of the GDPR distinguishes between the ‘enterprise’ and ‘undertaking’ the translation to other languages merged them into a single notion.<ref>For example, in German ("Unternehmen"), in French ("entreprise") and in Spanish ("empresa").]</ref> This causes controversy around the assessment of fines according to [[Article 83 GDPR]], which by English language refers to the term of undertaking in accordance with [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:12012E/TXT&from=EN#page=42 Articles 101, 102 TFEU] and thereby not to the definition of Article 4(18) GDPR.<ref>See Recital 150 sentence 3 GDPR.</ref> In any case, the notion is to be understood broadly when enforcing actions or determining fines on a particular entity (see commentary on [[Article 83 GDPR]]).<br />
<br />
===(19) Group of Undertakings===<br />
A group of undertakings consists of a leading (“controlling”) entity and one or more thereof dependent (“controlled”) entities.<ref>Recital 37 sentence 1 GDPR.</ref> The central characteristic for a group of undertakings is therefore, that one entity exerts a dominant influence over the others, for example be through ownership or financial participation.<ref>Recital 37 sentence 1 GDPR.</ref> This is usually the case between a holding company and their subsidiaries.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 58 (C.H. Beck 2017).</ref><br />
<br />
In this regard, the mere possibility of exercising control over the the other entity is sufficient, a real exercise of such control is not necessary.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 76 (ottoschmidt 2018).</ref> As long as one entity has the factual power to assert its will over the other entities,<ref>For example through to have personal data protection rules implemented; see Recital 37 sentence 1 GDPR.</ref> they qualify as group of undertakings.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 78 (ottoschmidt 2018).</ref><br />
<br />
Already two undertakings are sufficient to form a group.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 80 (ottoschmidt 2018).</ref> However, a controller giving mere instructions to a processor regarding the processing of personal data does not qualify as a group of undertakings.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 221 (Nomos 2018).</ref><br />
<br />
The classification as a group of undertakings becomes relevant for several provision across the GDPR, such as <br />
<br />
- The joint designation of a Data Protection Officer ([[Article 37 GDPR|Article 37(2) GDPR]]),<br />
<br />
- The formulation of binding corporate rules (Article 4(20) GDPR, [[Article 47 GDPR]]),<br />
<br />
- The data transfer for internal administrative purposes (Recital 48 GDPR in conjunction with [[Article 6 GDPR|Article 6(1)(f) GDPR]]),<ref>''Pötters/Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 70 (Deutscher Fachverlag 2018), as “''group privilege light''”.</ref> and<br />
<br />
- The determination of the main establishment (Article 4(16) GDPR, Recital 22 GDPR).<br />
<br />
However, the notion is to be distinguished from a ‘group of enterprises engaged in a joint economic activity’ also used throughout several provisions across the GDPR. These consist on separate and independent entities, which do not exercise control over each other<ref>''Feiler, Forgó,'' EU-DSGVO, Article 4 GDPR, margin number 49 (Verlag Österreich 2017).</ref> and therefore cannot designate a single Data Protection Officer or rely on internal administrative data transfers.<br />
<br />
===(20) Binding Corporate Rules===<br />
Binding corporate rules (short ‘BCR’) are ‘personal data protection policies’ formulated by controllers or processor established on the union for transfers of personal data outside the union within their group. In this regard, binding corporate rules constitute a legal basis to transfer personal data to third countries without an adequacy decision.<ref>See [[Article 46 GDPR|Article 46(2)(b) GDPR]].</ref> However, they only serve for for intra-corporate transfers, i.e. between entities of the concerned group of undertakings or enterprises. Transfers to entities outside of these groups are not covered by binding corporate rules.<br />
<br />
However, there are additional requirements regarding the content of such rules. According to Recital 110 GDPR, these must include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data. The rules are therefore to be previously approved by the national DPA concerned.<ref>[[Article 47 GDPR|Article 47(1) GDPR]].</ref> Furthermore, the Commission may specify the format and procedures for the exchange of information for these rules.<ref>[[Article 47 GDPR|Article 47(3) GDPR]].</ref> For more information on the requirements and the approval procedure of binding corporate rules, see therefore the commentary on [[Article 47 GDPR]].<br />
<br />
===(21) Supervisory Authority===<br />
Supervisory Authorities or ‘Data Protection Authorities’ (DPAs) are independent public authorities responsible for monitoring the application of the GDPR. The idea is, that such authorities protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union.<ref>See Article 51(1) GDPR, Recital 117 sentence 1 GDPR and [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(3) ECFR] “''Compliance with these rules shall be subject to control by an independent authority''”.</ref><br />
<br />
Member states can decide to provide only one or multiple DPAs, to reflect their constitutional, organisational and administrative structure.<ref>Recital 117 GDPR.</ref> In this regard, DPAs must be public authorities<ref>Private actors cannot serve as DPAs, see ''Polenz'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 21 GDPR, margin number 1 (NOMOS 2019).</ref> established on the national level.<ref>The European Data Protection Supervisor (EDPS) is therefore not a DPA in terms of the GDPR, see [https://gdprhub.eu/Article%2051%20GDPR Article 51(1) GDPR] and [https://gdprhub.eu/Article%2068%20GDPR Article 68(3) GDPR] “''The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor''”. It is adhering to its own [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018R1725&from=en Regulation (EU) 2018/1725], functionally overseeing and advising the European Institutions for their compliance with data protection rules.</ref> And while each supervisory authority should be competent on the territory of its own member state,<ref>Recital 112 sentence 1 GDPR.</ref> they shall cooperate, mutually assisting each other and conduct joint operations with to foster a consistent application of the GDPR in cross border contexts (see [[Article 60 GDPR|Articles 60-63 GDPR]] and Recital 123 GDPR).<br />
<br />
In this regard, DPAs may act independent (see [[Article 52 GDPR]]) and shall be provided with several competencies ([[Article 55 GDPR|Articles 55, 56 GDPR]]), Tasks ([[Article 57 GDPR]]) and Powers ([[Article 58 GDPR]]). For further information, see the particular commentary to the above mentioned articles.<br />
<br />
===(22) Supervisory authority concerned===<br />
Qualifying a supervisory authority as ‘concerned’ can result out of three situations as laid out by Article 4(22) GDPR:<br />
<br />
* For a controller or processor, when it is established in a member state of a supervisory authority,<br />
* for a data subject, when it is residing in the member state of a supervisory authority (likely) substantially affected by the processing of personal data, or<br />
* where a complaint has been lodged with that supervisory authority.<br />
<br />
==== Controller/Processor Establishment ====<br />
The DPA is concerned when a controller or processor is established in its jurisdiction. This implies any effective and real exercise of activity through stable arrangements,<ref>See Recital 22 sentence 2 GDPR.</ref> independent of the form of such arrangements of an actual branch or subsidiary within the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 275 (Oxford University Press 2020).</ref> This broad understanding is fostered by the EUCJ, including any real and effective activity exercised through stable agreements independently of their formalistic approach as an establishment.<ref>EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.</ref><br />
<br />
==== (Likely) Substantially Affection of the Data Subject ====<br />
A substantial affection, although not being further specified from the GDPR, indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 276 (Oxford University Press 2020).</ref> On the contrary, already the likelihood of such is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.<ref>For a list of relevant criteria, see ''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).</ref> In any case, this requires the data subject to reside in the member state of the DPA and therefore to have at least stable links to the state as its permanent habitual center.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).</ref> <br />
<br />
==== Filing a Complaint with the Supervisory Authority ====<br />
Filing a complaint with a particular supervisory authority qualifies them as a ‘concerned’ authority. Since complaints can also be fined with DPAs different from where the data subject resides,<ref>See Recital 124 sentence 3 GDPR.</ref> the supervisory authority can even be concerned without the data subject having a residence within the EU or any (likely) substantial affection. For further information on filing a complaint with a supervisory authority, see the commentary on [[Article 77 GDPR]].<br />
<br />
===(23) Cross-border processing===<br />
You can help us fill this section!<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20045Article 4 GDPR2021-09-23T14:09:33Z<p>JS: Uploading Article 4(21) GDPR</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
* '''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).</ref><br />
* '''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
* '''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
* '''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
* '''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
* '''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
* '''Alteration''' (changes to the form or content of data), such as corrections, pseudonymisation or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
* '''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
* '''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
* '''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
* '''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company. <br />
* '''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
* '''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
* '''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
* '''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
* '''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
* '''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
* '''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> <br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of Processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref><br />
<br />
Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.<ref>Recital 30 sentence 1 GDPR.</ref> as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore<br />
<br />
* Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref><br />
* Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref><br />
* Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref><br />
<br />
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR, such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref><br />
<br />
===(5) Pseudonymisation===<br />
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.<br />
<br />
Examples for the pseudonymisation of personal data include:<br />
<br />
* Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref><br />
* Encryption or hashing of data<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref><br />
* Pixelation of video materials<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref> <br />
<br />
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> And while some scholars argue for a ‘subjective anonymisation’,<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).</ref> the party undertaking the pseudonymisation is typically able to reassign the data subject.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).</ref><br />
<br />
In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref><br />
<br />
* Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]])<br />
* Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]])<br />
* Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]])<br />
* Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]])<br />
* Implementing Data Protection by Design and Default ([[Article 25 GDPR]])<br />
<br />
===(6) Filing System===<br />
The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]). It is complementing the approach of technological neutrality followed by the GDPR.<br />
<br />
A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> This is already satisfied, when personal data on a particular person is retrievable.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'', C-25/17, Johovan Todistajat, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref><br />
<br />
The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref><br />
<br />
Other examples are:<br />
<br />
* Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Saved letter-correspondence with customers<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Covid-19-Guest-Lists sorted by date<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref><br />
<br />
===(7) Controller===<br />
The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> In this regard, it the controller is to be distinguished from the processor, which is explained in further detail in Article 4(8) GDPR.<br />
<br />
The responsibilities of the controller are defined in [[Article 24 GDPR]]. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR.<br />
<br />
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co controllership’, the entities have to determine their respective responsibilities for the processing within an agreement, according to [[Article 26 GDPR]]. Important, however, is the factual influence on the processing of the personal data,<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> see also Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref><br />
<br />
For example, a joint controllership is assumed between<br />
<br />
* Search-Engines-Operators and the websites of which information is structured, presented and complemented with advertisements within search results<ref>''CJEU'', C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 here]), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.</ref><br />
* Facebook and Administrators of Fan Pages on its social network<ref>''CJEU'', C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available [https://curia.europa.eu/juris/liste.jsf?num=C-210/16 here]), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.</ref><br />
* Facebook and Websites that integrated a ‘Like Button’<ref>''CJEU'', C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-40/17 here]), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.</ref><br />
<br />
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller according to [[Article 26 GDPR]]. For further information see the commentary on that provision.<br />
<br />
===(8) Processor===<br />
The processor is the next entity facing obligations from several provisions across the GDPR, complementing the concept of the controller explained in Article 4(7) GDPR. Any natural, legal person, public authority, agency or body that processes personal data on behalf of the controller qualifies as a processor.<br />
<br />
The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref> Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref><br />
<br />
Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> developed some examples as references for controller-processor relationships:<br />
<br />
* Outsourcing of Callcenters for Customer Communications<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Outsourcing of Mail Services<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Cloud Hosting and Grid Computing<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]) and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).]</ref><br />
* A Separated Entity Specialized in Data Processing within a Group of Companies<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref><br />
<br />
When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of special relevance is [[Article 28 GDPR]], that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on [[Article 28 GDPR|Article 28(3) GDPR]].<br />
<br />
A special form of the processor is the ‘sub processor’ engaged by the processor, which requires another processing agreement and authorisation through the controller. For further information see the commentary on [[Article 28 GDPR|Article 28(2),(4) GDPR]].<br />
<br />
===(9) Recipient===<br />
Another entity defined in the GDPR is the recipient. The notion of the recipient is kept very broadly, i.e. any party which personal data is disclosed to, independently of whether it is a third party or not. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]).</ref><br />
<br />
The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,<ref>More precise, [[Article 13 GDPR|Article 13(1)(e) GDPR]], [[Article 14 GDPR|Article 14(1)(e) GDPR]], [[Article 15 GDPR|Article 15(1)(c) GDPR]].</ref> the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind is, that the controller whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).</ref><br />
<br />
In this regard, it is discussed, whether a processor is also a recipient. One the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.<ref>See Article 4(8) GDPR and Article 4(10) GDPR.</ref> However, the concept of the recipient is completely independent of that of the third-party.<ref>See Article 4(9) GDPR, “whether a third party or not“.</ref> With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, [[Article 28 GDPR]] does not relieve the controller to inform the data subjects about its processors as recipients according to [[Article 13 GDPR|Article 13 to 15 GDPR]].<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).</ref><br />
<br />
Not considered a recipient are, on the other hand, particular units within a company, such as the staff council or dependent establishments of the controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).</ref> The wording of the provision suggests that the entity requires a particular degree of sovereignty in order to count as recipient.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 57 (C.H. Beck 2018) and ''Regenhardt'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 156 (Nomos 2018).</ref> Units that are inseparable part of the internal structure of the controller are therefore not to classify as recipients.<br />
<br />
Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref><br />
<br />
===(10) Third Party===<br />
The concept of a third party complements the previously defined entities. It constitutes a negative delimitation, as any person different from the data subject, controller, processor or any other person authorized to process personal data by the controller. Its notion becomes mainly relevant in terms of evaluating of interests, such as in Article 6 (1)(f) GDPR.<ref>See also [[Article 13 GDPR|Article 13(1)(d) GDPR]], [[Article 14 GDPR|Article 14(2)(b) GDPR]].</ref><br />
<br />
Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).</ref> Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).</ref> Similarly, internal staff of the controller is not a third party, unless the employee uses personal data for own purposes outside of the employment context.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).</ref> In this regard, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).</ref><br />
<br />
===(11) Consent===<br />
Consent is the first legal basis mentioned in Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data. It can be given either by a written, electronic or an oral statement.<ref>Recital 32 sentence 1 GDPR.</ref> Examples are ticking a box or actively choosing technical settings that indicate the data subject’s acceptance of the proposed processing of his or her personal data.<ref>Recital 32 sentence 2 GDPR.</ref><br />
<br />
The notion of consent within the GDPR is different from its constitutional equivalent in [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(2) ECFR]. Consent in the GDPR is neither a waiver of fundamental rights, nor a justification for interferences with fundamental rights.<ref>''Klement'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 7 GDPR, margin number 18 (NOMOS 2019).</ref> Rather, it should be seen as an exception from the general prohibition of processing of personal data under [[Article 6 GDPR|Article 6(1) GDPR]].<br />
<br />
To ensure that consent is not only a legal fiction, it requires additional and cumulative criteria, regulated within its definition and complemented through [[Article 7 GDPR]]. In order for consent to be valid, it has to be freely given, informed, specific and unambiguous. It is the controller’s duty to demonstrate that the data subject has given such consent to the processing of his or her personal data.<ref>[[Article 7 GDPR|Article 7(1) GDPR]], Recital 42 sentence 1 GDPR.</ref><br />
<br />
==== Freely Given ====<br />
Consent is only freely given, where there is no clear imbalance between the data subject and the controller.<ref>Recital 43 sentence 1 GDPR.</ref> Also, it shall not be considered freely given when it is conditional on the processing of personal data that is not necessary for the performance of the service.<ref>Recital 43 sentence 2 GDPR.</ref><br />
<br />
Examples where asymmetries of power and bundled consent usually occur are:<br />
<br />
* Relationships with Public Authorities<ref>Recital 43 sentence 1 GDPR, and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 98 (Carl Heymanns Verlag 2018).</ref><br />
* Employer-Employee-Relationships<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 71 (C.H. Beck 2018).</ref><br />
* Use of Major Digital Services with limited alternatives<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 73, 76 (C.H. Beck 2018).</ref><br />
<br />
==== Informed ====<br />
Consent needs to be provided in an intelligible and easily accessible form, using clear and plain language. Data Subjects must be able to understand the circumstances of processing of their personal data to estimate the consequences and implications of giving their consent.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin numbers 2, 5 (C.H. Beck 2020).</ref> According to recent case-law of the Court of Justice, the information shall also be “digested” by the data subject.<ref>EUCJ, C‑61/19, Orange România, 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/liste.jsf?num=C-61/19&language=en here]).</ref> This seems to give information a more substantive and functional role. Moreover, the information has to be presented in a manner which is clearly distinguishable from other matters, like terms and conditions. For more information, see the commentary on [[Article 7 GDPR|Article 7(2) GDPR]].<br />
<br />
==== Specific ====<br />
In accordance with the principle of transparency from [[Article 5 GDPR|Article 5(1)(b) GDPR]] consent must be provided for specific and legitimate purposes. While consent to the processing of personal data can be given for one or multiple purposes at the same time,<ref>Recital 32 sentences 5, 6 GDPR.</ref> intentions and limitations must be formulated as precisely as possible. A blanket consent to all kinds of purposes is therefore not valid. For more information, see the commentary on [[Article 6 GDPR|Article 6(1)(a) GDPR]].<br />
<br />
==== Unambiguous ====<br />
Consent must be given unambiguously in the form of clear and affirmative action. Silence, pre-ticked boxes or inactivity should not constitute consent.<ref>Recital 32 sentence 3 GDPR.</ref> This has been stressed through recent case law by the Court of Justice in terms of cookies, where a pre-checked checkbox which the user must deselect to refuse his or her consent cannot demonstrate active behaviour.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/1 here]).</ref><br />
<br />
==== Withdrawal ====<br />
Consent can be withdrawn at any time. Withdrawing of consent shall be as easy as it was giving it. The controller has to inform the data subject on the possibility to withdraw consent prior to the processing. For further information, see the commentary on [[Article 7 GDPR|Article 7(3) GDPR]].<br />
<br />
==== Capacity ====<br />
Generally, consent must be given directly by the data subject or a nominated representative.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).</ref> In the case of minors, the ability to consent is based on the individual cognitive faculty of the data subject.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin number 67 (C.H. Beck 2020); ''Ernst'', Die Einwilligung nach der Datenschutzgrundverordnung, in Zeitschrift für Datenschutz, 03/07, (2017), p. 111.</ref> In the online context, [[Article 8 GDPR|Article 8(1) GDPR]] provides a minimum age of 16, while member states may not reduce that age limit to below 13.<br />
<br />
==== Explicit Consent ====<br />
The more qualified form of ‘explicit’ consent is required within several other provisions across the GDPR. For more detailed information, check out the commentary on [[Article 9 GDPR|Article 9(2)(a) GDPR]], [[Article 22 GDPR|Article 22(2)(c) GDPR]] and [[Article 49 GDPR|Article 49(1) GDPR]].<br />
<br />
===(12) Personal Data Breach ===<br />
A ‘personal data breach’ can be considered as any security incident regarding personal data. In this regard, the breach has to concern the processing personal data (for ‘personal data’ see Article 4(1) GDPR, for ‘processing’ Article 4(2) GDPR). Although the transmission and storage of data are explicitly highlighted, any type of processing the concerned data is sufficient.<ref>Wording: “otherwise processed”.</ref><br />
<br />
Moreover, it requires a security breach within that processing. Such are any failures of technical or organizational safeguards implemented by the controller according to [[Article 32 GDPR]]. These failures can either be caused through targeted attacks from other parties or through mishandling of personal data through the controller or persons instructed, such as its employees.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).</ref> Some examples for security breaches are:<br />
<br />
* Hacking-Attacks on systems involving personal data,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Missing access protection to data storages or buildings,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Sending data to unintended recipients,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Employees unlawfully distributing data to third parties,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 180 (Nomos 2018).</ref><br />
* Accidentally publishing or leaking data on website,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
* Loss of physical data carriers,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Destruction of data storing infrastructure,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unrestorable encryption through Ransomware,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unlocked storage of employee files.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
<br />
As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
<br />
The notion of a personal data breach becomes especially relevant in terms of notification and communication obligations for controllers to data subjects and DPAs according to [[Article 33 GDPR|Articles 33, 34 GDPR]]. In this regard, the EDPB can issue guidelines, recommendations and best practices for handling personal data breaches, [[Article 70 GDPR|Article 70(1)(g)(h) GDPR]].<ref>See EDPB, Guidelines 01/2021 on Examples regarding Data Breach Notification, 14 January 2021 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf here]).</ref><br />
<br />
===(13) Genetic Data===<br />
‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions the growth, metabolism, appearance, diseases or alike, both already existent or entering in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin numbers 106, 108 (Carl Heymanns Verlag 2018).</ref> Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analyses.<br />
<br />
The classification as genetic data is becoming relevant in terms of [[Article 9 GDPR|Article 9(1) GDPR]], that only allows its processing under strict requirements.<ref>Additionally, member states may maintain or introduce further conditions and limitations for the processing of genetic data, [[Article 9 GDPR|Article 9(4) GDPR]].</ref> This is due to the sensitive character of such data, that allows a unique identification of the data subject and at the same time reveals personal health data<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017).</ref> on them and biological relatives.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017); ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 182 (Nomos 2018).</ref> Especially in terms of heritage diseases, genetic data therefore carries a high risk of abuse in terms of employment and insurances.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 96 (C.H. Beck 2018).</ref><br />
<br />
===(14) Biometric Data===<br />
‘Biometric data’ means data referring to the physical, physiological and behavioural characteristics of a natural person obtained from specific technical processing allowing for an unique identification. While this generally includes any means to analyse and measure the characteristics of humans<ref>Usually through the creation of referential patterns that are than compared with the data subject later for unique identification, see ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 183 (Nomos 2018).</ref> the technical processing and unique identification requirements place higher burdens.<br />
<br />
The definition itself gives facial images and fingerprints,<ref>Also called 'Dactyloscopic data'.</ref> as examples for biometric data. However, the requirement for specific technical processing, ensures that simple pictures or even passport photographs shall not be considered as such.<ref>Recital 51 GDPR, “''The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person''”.</ref> It is the further processing, for example through the application of facial recognition software, that renders the extracted patterns as biometric data. In this regard, also IRIS Scanners, DNS-Comparisons, voice or gait pattern analyses,<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> as well as typing patterns or even handwritten signatures<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 111 (Carl Heymanns Verlag 2018).</ref> may be considered as biometric data.<br />
<br />
Other data, that does not allow an unique identification, such as the body size or blood type, are not biometric data.<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> However, these could then fall under the definition of ‘health data’ that offers similar protection like for biometric data, according to [[Article 9 GDPR|Article 9(1) GDPR]].<br />
<br />
===(15) Data Concerning Health===<br />
‘Data concerning health’, or simply ‘health data’, means any data related to the physical or mental health of a natural person, especially the procurement of health care services revealing such information. According to Recital 35 GDPR, these include all data referring to the health status of the data subject from the past, current or future. In this regard, any information on diseases, risks, disabilities, their treatment and medical histories of a particular natural person explicitly qualify as health data.<ref>Recital 35 sentence 2 GDPR.</ref><br />
<br />
Other examples for health data are information about:<br />
<br />
* Addictions to alcohol, drugs or medications as well as the participation in self-help groups<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
* Hospitalizations, sick notes and sick payments<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
* Information the physical or mental invalidity to work<ref>''Petri'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 15 GDPR, margin number 5 (NOMOS 2019).</ref><br />
* Data from health- or fitness apps on eating or movement patterns, for example from wearables and smartphones<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 118 (Carl Heymanns Verlag 2018).</ref><br />
<br />
The notion of health data is therefore broader than ‘medicinal data’.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 59 (Deutscher Fachverlag 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018).</ref> Furthermore, it strongly overlaps with the notions of genetic and biometric data.<ref>See Recital 35, “''Personal data concerning health should include […] information derived from the testing or examination of one’s body, substances, such as genetic and biological samples''”.</ref> in order to allow a seamless high protection within the scope of [[Article 9 GDPR]].<ref>However, in some cases (e.g. the public health sector) sensitive data can be necessary to be processed without the data subjects consent, see Recital 54 GDPR.</ref> For further information, check the commentary on [[Article 9 GDPR]].<br />
<br />
===(16) Main Establishment===<br />
If a controller or a processor have establishments in more than one member states, identifying its ‘main establishment’ is the first step to recognize the lead supervisory authority in a cross-border procedure.<br />
<br />
It is the role of a data protection authorities to properly define the main establishment of an entity according to objective criteria and subsequently determine the corresponding lead authority.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> The burden of proof falls on controllers and processors to demonstrate to the relevant supervisory authorities where the relevant processing decisions are taken and implemented. In this regard, however, the WP29 stressed that the GDPR does not permit ‘forum shopping’ and conclusions cannot be based solely on statements by the organisation under review. The supervisory authorities can rebut the controller’s analysis based on an objective examination of the relevant facts, requesting further information where required.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
==== Main Establishment of a Controller ====<br />
As a general rule, the main establishment of a controller should be the place of its central administration in the Union, or in other words, “''the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented''”.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 5 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> <br />
<br />
Recital 22 GDPR defines an establishment as ‘the effective and real exercise of activity through stable arrangements’. The legal form of such arrangements is irrelevant. According to the CJEU, an establishment depends on “''both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned.''”<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 29 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref> In this regard, already the presence of a single representative can constitute a stable arrangement when acting with a sufficient degree of stability and the necessary equipment to provide the specific services in the member states concerned.<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 30 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref><br />
<br />
If a controller’s main establishment is not the place of its central administration in the EU, it is necessary to determine the establishment based on where the effective and real exercise of main decisions on the purposes and means of processing take place.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 6 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> It should depend neither on the place of the processing nor the use of technical means and technologies for processing personal data or processing activities. Instead, to determine the controller’s main establishment the WP29 developed several guiding questions:<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
* Where are decisions about the purposes and means of the finally signed off’?<br />
* Where are decisions about business activities that involve data processing made?<br />
* Where does the power to have decisions implemented effectively lie?<br />
* Where is the Director with responsibility for cross border processing located?<br />
* Where is the controller or processor registered as a company?<br />
<br />
A supervisory authority may require from a controller to present additional information proving that its main establishment fulfils criteria envisaged in the GDPR.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
==== Main Establishment of a Processor ====<br />
Similarly to the rules for controllers, the main establishment of a processor located in multiple member states shall also be the place of its central administration. <br />
<br />
However, when there is no central administration in the Union, the rules applying to processors are formulated differently. In such cases, the main establishment of a processor is where the main processing activities take place in a Union’s establishment subject to the obligations under GDPR. This implies that the processing of personal data does not need to be carried out by the relevant establishment itself but only in in the context of its activities within the scope of the GDPR.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 235 (Oxford University Press 2020).</ref> The meaning of ‘the context of activities’ has already been specified by the CJEU, building on a broad definition of ‘establishment’ and clarifying that already the intention of a member state’s establishment to provide advertisement space for a third country undertaking is processing of personal data in the context of the Union’s establishment.<ref>CJEU, C-131/12, Google Spain, 13 May 2014, margin number 55 (available [https://curia.europa.eu/juris/liste.jsf?num=c-131/12 here]).</ref><br />
<br />
Following up on the CJEU judgement, the WP29 specified that EU law may apply to data processing activities of controllers or processors established outside the EU “''even if the local establishment is not actually taking any role in the data processing itself''”.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref> This reasoning can be based on an “''inextricable link''” between activities of an establishment in the EU and data processing by a non-EU controller or processor.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref><br />
<br />
==== '''Cases Involving Both the Controller and the Processor''' ====<br />
Recital 36 GDPR explains that “''in cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment''”. For further information determining the lead and concerned supervisory authorities in cross border contexts see the commentary on [[Article 56 GDPR]] and Article 4(22)-(23) GDPR.<br />
<br />
===(17) Representative===<br />
Representative are any legal or natural persons established in the union designated by a controller or processor, in accordance with [[Article 27 GDPR]]. They are not to be confused with the executive organ of the controller, but they serve as contact persons for data subjects and DPAs towards controllers and processors that are only outside the Union.<br />
<br />
In this regard, the notion of a representative becomes relevant in terms actors that are falling within the territorial scope of the GDPR without having any establishment within the union (see [[Article 3 GDPR|Article 3(2) GDPR]] and Recital 80 GDPR).<ref>According to which the GDPR applies to controllers outside the union processing personal data on subjects within the union ''“related to the offering of goods or services“'' or ''“the monitoring of their behaviour”''.</ref> In such cases, the representative becomes the addressee of enforcement proceedings in the event of non-compliance of the respective controller or processor.<ref>Recital 80 sentence 6 GDPR.</ref> This way, the representative prevents such actors only established in a third country, to become “infeasible” for data subjects and DPA’s within the union. Examples for representatives may therefore be designated employees, lawyers or whole firms established within the union.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 106 (C.H. Beck 2018).</ref><br />
<br />
The designation shall happen in a written form, containing the a mandate to represent the controller or processor under the obligations from the GDPR.<ref>Recital 80 sentences 3, 4 GDPR.</ref> At the same time. the designation of a representative does not exclude the responsibility or liability of the controller or processor themselves.<ref>Recital 80 sentence 5 GDPR.</ref> However, it remains unclear how entities not providing a representative may be tackled by the GDPR.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 204 (Nomos 2018).</ref> In this regard, especially public authorities are excluded from the designation of a representative.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 52 (C.H. Beck 2017).</ref><br />
<br />
===(18) Enterprise===<br />
An enterprise’ means any natural or legal person, partnerships or associations regularly engaged in economic activities. With this definition, the GDPR introduced a broad concept of the enterprise, irrespective of their size, legal form or interests pursued.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 127 (Carl Heymanns Verlag 2018).</ref><br />
<br />
An enterprise requires a regular engagement in economic activities, which means activities intended for a long-term and not only in an occasional manner.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 129 (Carl Heymanns Verlag 2018).</ref> Excluded from such activities are completely familiarly or personal activities (household activities, see also the commentary on [[Article 2 GDPR|Article 2(c) GDPR]]).<br />
<br />
While the English version of the GDPR distinguishes between the ‘enterprise’ and ‘undertaking’ the translation to other languages merged them into a single notion.<ref>For example, in German ("Unternehmen"), in French ("entreprise") and in Spanish ("empresa").]</ref> This causes controversy around the assessment of fines according to [[Article 83 GDPR]], which by English language refers to the term of undertaking in accordance with [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:12012E/TXT&from=EN#page=42 Articles 101, 102 TFEU] and thereby not to the definition of Article 4(18) GDPR.<ref>See Recital 150 sentence 3 GDPR.</ref> In any case, the notion is to be understood broadly when enforcing actions or determining fines on a particular entity (see commentary on [[Article 83 GDPR]]).<br />
<br />
===(19) Group of Undertakings===<br />
A group of undertakings consists of a leading (“controlling”) entity and one or more thereof dependent (“controlled”) entities.<ref>Recital 37 sentence 1 GDPR.</ref> The central characteristic for a group of undertakings is therefore, that one entity exerts a dominant influence over the others, for example be through ownership or financial participation.<ref>Recital 37 sentence 1 GDPR.</ref> This is usually the case between a holding company and their subsidiaries.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 58 (C.H. Beck 2017).</ref><br />
<br />
In this regard, the mere possibility of exercising control over the the other entity is sufficient, a real exercise of such control is not necessary.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 76 (ottoschmidt 2018).</ref> As long as one entity has the factual power to assert its will over the other entities,<ref>For example through to have personal data protection rules implemented; see Recital 37 sentence 1 GDPR.</ref> they qualify as group of undertakings.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 78 (ottoschmidt 2018).</ref><br />
<br />
Already two undertakings are sufficient to form a group.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 80 (ottoschmidt 2018).</ref> However, a controller giving mere instructions to a processor regarding the processing of personal data does not qualify as a group of undertakings.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 221 (Nomos 2018).</ref><br />
<br />
The classification as a group of undertakings becomes relevant for several provision across the GDPR, such as <br />
<br />
- The joint designation of a Data Protection Officer ([[Article 37 GDPR|Article 37(2) GDPR]]),<br />
<br />
- The formulation of binding corporate rules (Article 4(20) GDPR, [[Article 47 GDPR]]),<br />
<br />
- The data transfer for internal administrative purposes (Recital 48 GDPR in conjunction with [[Article 6 GDPR|Article 6(1)(f) GDPR]]),<ref>''Pötters/Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 70 (Deutscher Fachverlag 2018), as “''group privilege light''”.</ref> and<br />
<br />
- The determination of the main establishment (Article 4(16) GDPR, Recital 22 GDPR).<br />
<br />
However, the notion is to be distinguished from a ‘group of enterprises engaged in a joint economic activity’ also used throughout several provisions across the GDPR. These consist on separate and independent entities, which do not exercise control over each other<ref>''Feiler, Forgó,'' EU-DSGVO, Article 4 GDPR, margin number 49 (Verlag Österreich 2017).</ref> and therefore cannot designate a single Data Protection Officer or rely on internal administrative data transfers.<br />
<br />
===(20) Binding Corporate Rules===<br />
Binding corporate rules (short ‘BCR’) are ‘personal data protection policies’ formulated by controllers or processor established on the union for transfers of personal data outside the union within their group. In this regard, binding corporate rules constitute a legal basis to transfer personal data to third countries without an adequacy decision.<ref>See [[Article 46 GDPR|Article 46(2)(b) GDPR]].</ref> However, they only serve for for intra-corporate transfers, i.e. between entities of the concerned group of undertakings or enterprises. Transfers to entities outside of these groups are not covered by binding corporate rules.<br />
<br />
However, there are additional requirements regarding the content of such rules. According to Recital 110 GDPR, these must include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data. The rules are therefore to be previously approved by the national DPA concerned.<ref>[[Article 47 GDPR|Article 47(1) GDPR]].</ref> Furthermore, the Commission may specify the format and procedures for the exchange of information for these rules.<ref>[[Article 47 GDPR|Article 47(3) GDPR]].</ref> For more information on the requirements and the approval procedure of binding corporate rules, see therefore the commentary on [[Article 47 GDPR]].<br />
<br />
===(21) Supervisory Authority===<br />
Supervisory Authorities or ‘Data Protection Authorities’ (DPAs) are independent public authorities responsible for monitoring the application of the GDPR. The idea is, that such authorities protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union.<ref>See Article 51(1) GDPR, Recital 117 sentence 1 GDPR and [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(3) ECFR] “''Compliance with these rules shall be subject to control by an independent authority''”.</ref><br />
<br />
Member states can decide to provide only one or multiple DPAs, to reflect their constitutional, organisational and administrative structure.<ref>Recital 117 GDPR.</ref> In this regard, DPAs must be public authorities<ref>Private actors cannot serve as DPAs, see ''Polenz'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 21 GDPR, margin number 1 (NOMOS 2019).</ref> established on the national level.<ref>The European Data Protection Supervisor (EDPS) is therefore not a DPA in terms of the GDPR, see [https://gdprhub.eu/Article%2051%20GDPR Article 51(1) GDPR] and [https://gdprhub.eu/Article%2068%20GDPR Article 68(3) GDPR] “''The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor''”. It is adhering to its own [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018R1725&from=en Regulation (EU) 2018/1725], functionally overseeing and advising the European Institutions for their compliance with data protection rules.</ref> And while each supervisory authority should be competent on the territory of its own member state,<ref>Recital 112 sentence 1 GDPR.</ref> they shall cooperate, mutually assisting each other and conduct joint operations with to foster a consistent application of the GDPR in cross border contexts (see [[Article 60 GDPR|Articles 60-63 GDPR]] and Recital 123 GDPR).<br />
<br />
In this regard, DPAs may act independent (see [[Article 52 GDPR]]) and shall be provided with several competencies ([[Article 55 GDPR|Articles 55, 56 GDPR]]), Tasks ([[Article 57 GDPR]]) and Powers ([[Article 58 GDPR]]). For further information, see the particular commentary to the above mentioned articles.<br />
<br />
===(22) Supervisory authority concerned===<br />
You can help us fill this section!<br />
===(23) Cross-border processing===<br />
You can help us fill this section!<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20041Article 4 GDPR2021-09-23T13:52:50Z<p>JS: Uploading Article 4(20) GDPR</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
* '''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).</ref><br />
* '''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
* '''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
* '''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
* '''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
* '''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
* '''Alteration''' (changes to the form or content of data), such as corrections, pseudonymisation or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
* '''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
* '''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
* '''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
* '''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company. <br />
* '''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
* '''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
* '''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
* '''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
* '''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
* '''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
* '''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> <br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of Processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref><br />
<br />
Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.<ref>Recital 30 sentence 1 GDPR.</ref> as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore<br />
<br />
* Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref><br />
* Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref><br />
* Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref><br />
<br />
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR, such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref><br />
<br />
===(5) Pseudonymisation===<br />
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.<br />
<br />
Examples for the pseudonymisation of personal data include:<br />
<br />
* Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref><br />
* Encryption or hashing of data<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref><br />
* Pixelation of video materials<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref> <br />
<br />
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> And while some scholars argue for a ‘subjective anonymisation’,<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).</ref> the party undertaking the pseudonymisation is typically able to reassign the data subject.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).</ref><br />
<br />
In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref><br />
<br />
* Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]])<br />
* Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]])<br />
* Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]])<br />
* Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]])<br />
* Implementing Data Protection by Design and Default ([[Article 25 GDPR]])<br />
<br />
===(6) Filing System===<br />
The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]). It is complementing the approach of technological neutrality followed by the GDPR.<br />
<br />
A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> This is already satisfied, when personal data on a particular person is retrievable.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'', C-25/17, Johovan Todistajat, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref><br />
<br />
The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref><br />
<br />
Other examples are:<br />
<br />
* Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Saved letter-correspondence with customers<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Covid-19-Guest-Lists sorted by date<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref><br />
<br />
===(7) Controller===<br />
The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> In this regard, it the controller is to be distinguished from the processor, which is explained in further detail in Article 4(8) GDPR.<br />
<br />
The responsibilities of the controller are defined in [[Article 24 GDPR]]. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR.<br />
<br />
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co controllership’, the entities have to determine their respective responsibilities for the processing within an agreement, according to [[Article 26 GDPR]]. Important, however, is the factual influence on the processing of the personal data,<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> see also Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref><br />
<br />
For example, a joint controllership is assumed between<br />
<br />
* Search-Engines-Operators and the websites of which information is structured, presented and complemented with advertisements within search results<ref>''CJEU'', C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 here]), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.</ref><br />
* Facebook and Administrators of Fan Pages on its social network<ref>''CJEU'', C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available [https://curia.europa.eu/juris/liste.jsf?num=C-210/16 here]), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.</ref><br />
* Facebook and Websites that integrated a ‘Like Button’<ref>''CJEU'', C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-40/17 here]), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.</ref><br />
<br />
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller according to [[Article 26 GDPR]]. For further information see the commentary on that provision.<br />
<br />
===(8) Processor===<br />
The processor is the next entity facing obligations from several provisions across the GDPR, complementing the concept of the controller explained in Article 4(7) GDPR. Any natural, legal person, public authority, agency or body that processes personal data on behalf of the controller qualifies as a processor.<br />
<br />
The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref> Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref><br />
<br />
Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> developed some examples as references for controller-processor relationships:<br />
<br />
* Outsourcing of Callcenters for Customer Communications<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Outsourcing of Mail Services<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Cloud Hosting and Grid Computing<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]) and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).]</ref><br />
* A Separated Entity Specialized in Data Processing within a Group of Companies<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref><br />
<br />
When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of special relevance is [[Article 28 GDPR]], that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on [[Article 28 GDPR|Article 28(3) GDPR]].<br />
<br />
A special form of the processor is the ‘sub processor’ engaged by the processor, which requires another processing agreement and authorisation through the controller. For further information see the commentary on [[Article 28 GDPR|Article 28(2),(4) GDPR]].<br />
<br />
===(9) Recipient===<br />
Another entity defined in the GDPR is the recipient. The notion of the recipient is kept very broadly, i.e. any party which personal data is disclosed to, independently of whether it is a third party or not. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]).</ref><br />
<br />
The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,<ref>More precise, [[Article 13 GDPR|Article 13(1)(e) GDPR]], [[Article 14 GDPR|Article 14(1)(e) GDPR]], [[Article 15 GDPR|Article 15(1)(c) GDPR]].</ref> the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind is, that the controller whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).</ref><br />
<br />
In this regard, it is discussed, whether a processor is also a recipient. One the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.<ref>See Article 4(8) GDPR and Article 4(10) GDPR.</ref> However, the concept of the recipient is completely independent of that of the third-party.<ref>See Article 4(9) GDPR, “whether a third party or not“.</ref> With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, [[Article 28 GDPR]] does not relieve the controller to inform the data subjects about its processors as recipients according to [[Article 13 GDPR|Article 13 to 15 GDPR]].<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).</ref><br />
<br />
Not considered a recipient are, on the other hand, particular units within a company, such as the staff council or dependent establishments of the controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).</ref> The wording of the provision suggests that the entity requires a particular degree of sovereignty in order to count as recipient.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 57 (C.H. Beck 2018) and ''Regenhardt'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 156 (Nomos 2018).</ref> Units that are inseparable part of the internal structure of the controller are therefore not to classify as recipients.<br />
<br />
Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref><br />
<br />
===(10) Third Party===<br />
The concept of a third party complements the previously defined entities. It constitutes a negative delimitation, as any person different from the data subject, controller, processor or any other person authorized to process personal data by the controller. Its notion becomes mainly relevant in terms of evaluating of interests, such as in Article 6 (1)(f) GDPR.<ref>See also [[Article 13 GDPR|Article 13(1)(d) GDPR]], [[Article 14 GDPR|Article 14(2)(b) GDPR]].</ref><br />
<br />
Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).</ref> Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).</ref> Similarly, internal staff of the controller is not a third party, unless the employee uses personal data for own purposes outside of the employment context.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).</ref> In this regard, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).</ref><br />
<br />
===(11) Consent===<br />
Consent is the first legal basis mentioned in Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data. It can be given either by a written, electronic or an oral statement.<ref>Recital 32 sentence 1 GDPR.</ref> Examples are ticking a box or actively choosing technical settings that indicate the data subject’s acceptance of the proposed processing of his or her personal data.<ref>Recital 32 sentence 2 GDPR.</ref><br />
<br />
The notion of consent within the GDPR is different from its constitutional equivalent in [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(2) ECFR]. Consent in the GDPR is neither a waiver of fundamental rights, nor a justification for interferences with fundamental rights.<ref>''Klement'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 7 GDPR, margin number 18 (NOMOS 2019).</ref> Rather, it should be seen as an exception from the general prohibition of processing of personal data under [[Article 6 GDPR|Article 6(1) GDPR]].<br />
<br />
To ensure that consent is not only a legal fiction, it requires additional and cumulative criteria, regulated within its definition and complemented through [[Article 7 GDPR]]. In order for consent to be valid, it has to be freely given, informed, specific and unambiguous. It is the controller’s duty to demonstrate that the data subject has given such consent to the processing of his or her personal data.<ref>[[Article 7 GDPR|Article 7(1) GDPR]], Recital 42 sentence 1 GDPR.</ref><br />
<br />
==== Freely Given ====<br />
Consent is only freely given, where there is no clear imbalance between the data subject and the controller.<ref>Recital 43 sentence 1 GDPR.</ref> Also, it shall not be considered freely given when it is conditional on the processing of personal data that is not necessary for the performance of the service.<ref>Recital 43 sentence 2 GDPR.</ref><br />
<br />
Examples where asymmetries of power and bundled consent usually occur are:<br />
<br />
* Relationships with Public Authorities<ref>Recital 43 sentence 1 GDPR, and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 98 (Carl Heymanns Verlag 2018).</ref><br />
* Employer-Employee-Relationships<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 71 (C.H. Beck 2018).</ref><br />
* Use of Major Digital Services with limited alternatives<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 73, 76 (C.H. Beck 2018).</ref><br />
<br />
==== Informed ====<br />
Consent needs to be provided in an intelligible and easily accessible form, using clear and plain language. Data Subjects must be able to understand the circumstances of processing of their personal data to estimate the consequences and implications of giving their consent.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin numbers 2, 5 (C.H. Beck 2020).</ref> According to recent case-law of the Court of Justice, the information shall also be “digested” by the data subject.<ref>EUCJ, C‑61/19, Orange România, 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/liste.jsf?num=C-61/19&language=en here]).</ref> This seems to give information a more substantive and functional role. Moreover, the information has to be presented in a manner which is clearly distinguishable from other matters, like terms and conditions. For more information, see the commentary on [[Article 7 GDPR|Article 7(2) GDPR]].<br />
<br />
==== Specific ====<br />
In accordance with the principle of transparency from [[Article 5 GDPR|Article 5(1)(b) GDPR]] consent must be provided for specific and legitimate purposes. While consent to the processing of personal data can be given for one or multiple purposes at the same time,<ref>Recital 32 sentences 5, 6 GDPR.</ref> intentions and limitations must be formulated as precisely as possible. A blanket consent to all kinds of purposes is therefore not valid. For more information, see the commentary on [[Article 6 GDPR|Article 6(1)(a) GDPR]].<br />
<br />
==== Unambiguous ====<br />
Consent must be given unambiguously in the form of clear and affirmative action. Silence, pre-ticked boxes or inactivity should not constitute consent.<ref>Recital 32 sentence 3 GDPR.</ref> This has been stressed through recent case law by the Court of Justice in terms of cookies, where a pre-checked checkbox which the user must deselect to refuse his or her consent cannot demonstrate active behaviour.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/1 here]).</ref><br />
<br />
==== Withdrawal ====<br />
Consent can be withdrawn at any time. Withdrawing of consent shall be as easy as it was giving it. The controller has to inform the data subject on the possibility to withdraw consent prior to the processing. For further information, see the commentary on [[Article 7 GDPR|Article 7(3) GDPR]].<br />
<br />
==== Capacity ====<br />
Generally, consent must be given directly by the data subject or a nominated representative.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).</ref> In the case of minors, the ability to consent is based on the individual cognitive faculty of the data subject.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin number 67 (C.H. Beck 2020); ''Ernst'', Die Einwilligung nach der Datenschutzgrundverordnung, in Zeitschrift für Datenschutz, 03/07, (2017), p. 111.</ref> In the online context, [[Article 8 GDPR|Article 8(1) GDPR]] provides a minimum age of 16, while member states may not reduce that age limit to below 13.<br />
<br />
==== Explicit Consent ====<br />
The more qualified form of ‘explicit’ consent is required within several other provisions across the GDPR. For more detailed information, check out the commentary on [[Article 9 GDPR|Article 9(2)(a) GDPR]], [[Article 22 GDPR|Article 22(2)(c) GDPR]] and [[Article 49 GDPR|Article 49(1) GDPR]].<br />
<br />
===(12) Personal Data Breach ===<br />
A ‘personal data breach’ can be considered as any security incident regarding personal data. In this regard, the breach has to concern the processing personal data (for ‘personal data’ see Article 4(1) GDPR, for ‘processing’ Article 4(2) GDPR). Although the transmission and storage of data are explicitly highlighted, any type of processing the concerned data is sufficient.<ref>Wording: “otherwise processed”.</ref><br />
<br />
Moreover, it requires a security breach within that processing. Such are any failures of technical or organizational safeguards implemented by the controller according to [[Article 32 GDPR]]. These failures can either be caused through targeted attacks from other parties or through mishandling of personal data through the controller or persons instructed, such as its employees.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).</ref> Some examples for security breaches are:<br />
<br />
* Hacking-Attacks on systems involving personal data,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Missing access protection to data storages or buildings,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Sending data to unintended recipients,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Employees unlawfully distributing data to third parties,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 180 (Nomos 2018).</ref><br />
* Accidentally publishing or leaking data on website,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
* Loss of physical data carriers,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Destruction of data storing infrastructure,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unrestorable encryption through Ransomware,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unlocked storage of employee files.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
<br />
As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
<br />
The notion of a personal data breach becomes especially relevant in terms of notification and communication obligations for controllers to data subjects and DPAs according to [[Article 33 GDPR|Articles 33, 34 GDPR]]. In this regard, the EDPB can issue guidelines, recommendations and best practices for handling personal data breaches, [[Article 70 GDPR|Article 70(1)(g)(h) GDPR]].<ref>See EDPB, Guidelines 01/2021 on Examples regarding Data Breach Notification, 14 January 2021 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf here]).</ref><br />
<br />
===(13) Genetic Data===<br />
‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions the growth, metabolism, appearance, diseases or alike, both already existent or entering in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin numbers 106, 108 (Carl Heymanns Verlag 2018).</ref> Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analyses.<br />
<br />
The classification as genetic data is becoming relevant in terms of [[Article 9 GDPR|Article 9(1) GDPR]], that only allows its processing under strict requirements.<ref>Additionally, member states may maintain or introduce further conditions and limitations for the processing of genetic data, [[Article 9 GDPR|Article 9(4) GDPR]].</ref> This is due to the sensitive character of such data, that allows a unique identification of the data subject and at the same time reveals personal health data<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017).</ref> on them and biological relatives.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017); ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 182 (Nomos 2018).</ref> Especially in terms of heritage diseases, genetic data therefore carries a high risk of abuse in terms of employment and insurances.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 96 (C.H. Beck 2018).</ref><br />
<br />
===(14) Biometric Data===<br />
‘Biometric data’ means data referring to the physical, physiological and behavioural characteristics of a natural person obtained from specific technical processing allowing for an unique identification. While this generally includes any means to analyse and measure the characteristics of humans<ref>Usually through the creation of referential patterns that are than compared with the data subject later for unique identification, see ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 183 (Nomos 2018).</ref> the technical processing and unique identification requirements place higher burdens.<br />
<br />
The definition itself gives facial images and fingerprints,<ref>Also called 'Dactyloscopic data'.</ref> as examples for biometric data. However, the requirement for specific technical processing, ensures that simple pictures or even passport photographs shall not be considered as such.<ref>Recital 51 GDPR, “''The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person''”.</ref> It is the further processing, for example through the application of facial recognition software, that renders the extracted patterns as biometric data. In this regard, also IRIS Scanners, DNS-Comparisons, voice or gait pattern analyses,<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> as well as typing patterns or even handwritten signatures<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 111 (Carl Heymanns Verlag 2018).</ref> may be considered as biometric data.<br />
<br />
Other data, that does not allow an unique identification, such as the body size or blood type, are not biometric data.<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> However, these could then fall under the definition of ‘health data’ that offers similar protection like for biometric data, according to [[Article 9 GDPR|Article 9(1) GDPR]].<br />
<br />
===(15) Data Concerning Health===<br />
‘Data concerning health’, or simply ‘health data’, means any data related to the physical or mental health of a natural person, especially the procurement of health care services revealing such information. According to Recital 35 GDPR, these include all data referring to the health status of the data subject from the past, current or future. In this regard, any information on diseases, risks, disabilities, their treatment and medical histories of a particular natural person explicitly qualify as health data.<ref>Recital 35 sentence 2 GDPR.</ref><br />
<br />
Other examples for health data are information about:<br />
<br />
* Addictions to alcohol, drugs or medications as well as the participation in self-help groups<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
* Hospitalizations, sick notes and sick payments<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
* Information the physical or mental invalidity to work<ref>''Petri'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 15 GDPR, margin number 5 (NOMOS 2019).</ref><br />
* Data from health- or fitness apps on eating or movement patterns, for example from wearables and smartphones<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 118 (Carl Heymanns Verlag 2018).</ref><br />
<br />
The notion of health data is therefore broader than ‘medicinal data’.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 59 (Deutscher Fachverlag 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018).</ref> Furthermore, it strongly overlaps with the notions of genetic and biometric data.<ref>See Recital 35, “''Personal data concerning health should include […] information derived from the testing or examination of one’s body, substances, such as genetic and biological samples''”.</ref> in order to allow a seamless high protection within the scope of [[Article 9 GDPR]].<ref>However, in some cases (e.g. the public health sector) sensitive data can be necessary to be processed without the data subjects consent, see Recital 54 GDPR.</ref> For further information, check the commentary on [[Article 9 GDPR]].<br />
<br />
===(16) Main Establishment===<br />
If a controller or a processor have establishments in more than one member states, identifying its ‘main establishment’ is the first step to recognize the lead supervisory authority in a cross-border procedure.<br />
<br />
It is the role of a data protection authorities to properly define the main establishment of an entity according to objective criteria and subsequently determine the corresponding lead authority.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> The burden of proof falls on controllers and processors to demonstrate to the relevant supervisory authorities where the relevant processing decisions are taken and implemented. In this regard, however, the WP29 stressed that the GDPR does not permit ‘forum shopping’ and conclusions cannot be based solely on statements by the organisation under review. The supervisory authorities can rebut the controller’s analysis based on an objective examination of the relevant facts, requesting further information where required.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
==== Main Establishment of a Controller ====<br />
As a general rule, the main establishment of a controller should be the place of its central administration in the Union, or in other words, “''the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented''”.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 5 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> <br />
<br />
Recital 22 GDPR defines an establishment as ‘the effective and real exercise of activity through stable arrangements’. The legal form of such arrangements is irrelevant. According to the CJEU, an establishment depends on “''both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned.''”<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 29 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref> In this regard, already the presence of a single representative can constitute a stable arrangement when acting with a sufficient degree of stability and the necessary equipment to provide the specific services in the member states concerned.<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 30 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref><br />
<br />
If a controller’s main establishment is not the place of its central administration in the EU, it is necessary to determine the establishment based on where the effective and real exercise of main decisions on the purposes and means of processing take place.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 6 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> It should depend neither on the place of the processing nor the use of technical means and technologies for processing personal data or processing activities. Instead, to determine the controller’s main establishment the WP29 developed several guiding questions:<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
* Where are decisions about the purposes and means of the finally signed off’?<br />
* Where are decisions about business activities that involve data processing made?<br />
* Where does the power to have decisions implemented effectively lie?<br />
* Where is the Director with responsibility for cross border processing located?<br />
* Where is the controller or processor registered as a company?<br />
<br />
A supervisory authority may require from a controller to present additional information proving that its main establishment fulfils criteria envisaged in the GDPR.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
==== Main Establishment of a Processor ====<br />
Similarly to the rules for controllers, the main establishment of a processor located in multiple member states shall also be the place of its central administration. <br />
<br />
However, when there is no central administration in the Union, the rules applying to processors are formulated differently. In such cases, the main establishment of a processor is where the main processing activities take place in a Union’s establishment subject to the obligations under GDPR. This implies that the processing of personal data does not need to be carried out by the relevant establishment itself but only in in the context of its activities within the scope of the GDPR.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 235 (Oxford University Press 2020).</ref> The meaning of ‘the context of activities’ has already been specified by the CJEU, building on a broad definition of ‘establishment’ and clarifying that already the intention of a member state’s establishment to provide advertisement space for a third country undertaking is processing of personal data in the context of the Union’s establishment.<ref>CJEU, C-131/12, Google Spain, 13 May 2014, margin number 55 (available [https://curia.europa.eu/juris/liste.jsf?num=c-131/12 here]).</ref><br />
<br />
Following up on the CJEU judgement, the WP29 specified that EU law may apply to data processing activities of controllers or processors established outside the EU “''even if the local establishment is not actually taking any role in the data processing itself''”.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref> This reasoning can be based on an “''inextricable link''” between activities of an establishment in the EU and data processing by a non-EU controller or processor.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref><br />
<br />
==== '''Cases Involving Both the Controller and the Processor''' ====<br />
Recital 36 GDPR explains that “''in cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment''”. For further information determining the lead and concerned supervisory authorities in cross border contexts see the commentary on [[Article 56 GDPR]] and Article 4(22)-(23) GDPR.<br />
<br />
===(17) Representative===<br />
Representative are any legal or natural persons established in the union designated by a controller or processor, in accordance with [[Article 27 GDPR]]. They are not to be confused with the executive organ of the controller, but they serve as contact persons for data subjects and DPAs towards controllers and processors that are only outside the Union.<br />
<br />
In this regard, the notion of a representative becomes relevant in terms actors that are falling within the territorial scope of the GDPR without having any establishment within the union (see [[Article 3 GDPR|Article 3(2) GDPR]] and Recital 80 GDPR).<ref>According to which the GDPR applies to controllers outside the union processing personal data on subjects within the union ''“related to the offering of goods or services“'' or ''“the monitoring of their behaviour”''.</ref> In such cases, the representative becomes the addressee of enforcement proceedings in the event of non-compliance of the respective controller or processor.<ref>Recital 80 sentence 6 GDPR.</ref> This way, the representative prevents such actors only established in a third country, to become “infeasible” for data subjects and DPA’s within the union. Examples for representatives may therefore be designated employees, lawyers or whole firms established within the union.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 106 (C.H. Beck 2018).</ref><br />
<br />
The designation shall happen in a written form, containing the a mandate to represent the controller or processor under the obligations from the GDPR.<ref>Recital 80 sentences 3, 4 GDPR.</ref> At the same time. the designation of a representative does not exclude the responsibility or liability of the controller or processor themselves.<ref>Recital 80 sentence 5 GDPR.</ref> However, it remains unclear how entities not providing a representative may be tackled by the GDPR.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 204 (Nomos 2018).</ref> In this regard, especially public authorities are excluded from the designation of a representative.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 52 (C.H. Beck 2017).</ref><br />
<br />
===(18) Enterprise===<br />
An enterprise’ means any natural or legal person, partnerships or associations regularly engaged in economic activities. With this definition, the GDPR introduced a broad concept of the enterprise, irrespective of their size, legal form or interests pursued.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 127 (Carl Heymanns Verlag 2018).</ref><br />
<br />
An enterprise requires a regular engagement in economic activities, which means activities intended for a long-term and not only in an occasional manner.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 129 (Carl Heymanns Verlag 2018).</ref> Excluded from such activities are completely familiarly or personal activities (household activities, see also the commentary on [[Article 2 GDPR|Article 2(c) GDPR]]).<br />
<br />
While the English version of the GDPR distinguishes between the ‘enterprise’ and ‘undertaking’ the translation to other languages merged them into a single notion.<ref>For example, in German ("Unternehmen"), in French ("entreprise") and in Spanish ("empresa").]</ref> This causes controversy around the assessment of fines according to [[Article 83 GDPR]], which by English language refers to the term of undertaking in accordance with [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:12012E/TXT&from=EN#page=42 Articles 101, 102 TFEU] and thereby not to the definition of Article 4(18) GDPR.<ref>See Recital 150 sentence 3 GDPR.</ref> In any case, the notion is to be understood broadly when enforcing actions or determining fines on a particular entity (see commentary on [[Article 83 GDPR]]).<br />
<br />
===(19) Group of undertakings===<br />
A group of undertakings consists of a leading (“controlling”) entity and one or more thereof dependent (“controlled”) entities.<ref>Recital 37 sentence 1 GDPR.</ref> The central characteristic for a group of undertakings is therefore, that one entity exerts a dominant influence over the others, for example be through ownership or financial participation.<ref>Recital 37 sentence 1 GDPR.</ref> This is usually the case between a holding company and their subsidiaries.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 58 (C.H. Beck 2017).</ref><br />
<br />
In this regard, the mere possibility of exercising control over the the other entity is sufficient, a real exercise of such control is not necessary.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 76 (ottoschmidt 2018).</ref> As long as one entity has the factual power to assert its will over the other entities,<ref>For example through to have personal data protection rules implemented; see Recital 37 sentence 1 GDPR.</ref> they qualify as group of undertakings.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 78 (ottoschmidt 2018).</ref><br />
<br />
Already two undertakings are sufficient to form a group.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 80 (ottoschmidt 2018).</ref> However, a controller giving mere instructions to a processor regarding the processing of personal data does not qualify as a group of undertakings.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 221 (Nomos 2018).</ref><br />
<br />
The classification as a group of undertakings becomes relevant for several provision across the GDPR, such as <br />
<br />
- The joint designation of a Data Protection Officer ([[Article 37 GDPR|Article 37(2) GDPR]]),<br />
<br />
- The formulation of binding corporate rules (Article 4(20) GDPR, [[Article 47 GDPR]]),<br />
<br />
- The data transfer for internal administrative purposes (Recital 48 GDPR in conjunction with [[Article 6 GDPR|Article 6(1)(f) GDPR]]),<ref>''Pötters/Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 70 (Deutscher Fachverlag 2018), as “''group privilege light''”.</ref> and<br />
<br />
- The determination of the main establishment (Article 4(16) GDPR, Recital 22 GDPR).<br />
<br />
However, the notion is to be distinguished from a ‘group of enterprises engaged in a joint economic activity’ also used throughout several provisions across the GDPR. These consist on separate and independent entities, which do not exercise control over each other<ref>''Feiler, Forgó,'' EU-DSGVO, Article 4 GDPR, margin number 49 (Verlag Österreich 2017).</ref> and therefore cannot designate a single Data Protection Officer or rely on internal administrative data transfers.<br />
<br />
===(20) Binding corporate rules===<br />
Binding corporate rules (short ‘BCR’) are ‘personal data protection policies’ formulated by controllers or processor established on the union for transfers of personal data outside the union within their group. In this regard, binding corporate rules constitute a legal basis to transfer personal data to third countries without an adequacy decision.<ref>See [[Article 46 GDPR|Article 46(2)(b) GDPR]].</ref> However, they only serve for for intra-corporate transfers, i.e. between entities of the concerned group of undertakings or enterprises. Transfers to entities outside of these groups are not covered by binding corporate rules.<br />
<br />
However, there are additional requirements regarding the content of such rules. According to Recital 110 GDPR, these must include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data. The rules are therefore to be previously approved by the national DPA concerned.<ref>[[Article 47 GDPR|Article 47(1) GDPR]].</ref> Furthermore, the Commission may specify the format and procedures for the exchange of information for these rules.<ref>[[Article 47 GDPR|Article 47(3) GDPR]].</ref> For more information on the requirements and the approval procedure of binding corporate rules, see therefore the commentary on [[Article 47 GDPR]].<br />
<br />
===(21) Supervisory authority===<br />
You can help us fill this section!<br />
===(22) Supervisory authority concerned===<br />
You can help us fill this section!<br />
===(23) Cross-border processing===<br />
You can help us fill this section!<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20039Article 4 GDPR2021-09-23T13:47:57Z<p>JS: Uploading Article 4(19) GDPR</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
* '''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).</ref><br />
* '''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
* '''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
* '''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
* '''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
* '''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
* '''Alteration''' (changes to the form or content of data), such as corrections, pseudonymisation or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
* '''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
* '''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
* '''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
* '''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company. <br />
* '''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
* '''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
* '''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
* '''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
* '''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
* '''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
* '''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> <br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of Processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref><br />
<br />
Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.<ref>Recital 30 sentence 1 GDPR.</ref> as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore<br />
<br />
* Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref><br />
* Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref><br />
* Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref><br />
<br />
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR, such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref><br />
<br />
===(5) Pseudonymisation===<br />
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.<br />
<br />
Examples for the pseudonymisation of personal data include:<br />
<br />
* Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref><br />
* Encryption or hashing of data<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref><br />
* Pixelation of video materials<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref> <br />
<br />
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> And while some scholars argue for a ‘subjective anonymisation’,<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).</ref> the party undertaking the pseudonymisation is typically able to reassign the data subject.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).</ref><br />
<br />
In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref><br />
<br />
* Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]])<br />
* Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]])<br />
* Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]])<br />
* Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]])<br />
* Implementing Data Protection by Design and Default ([[Article 25 GDPR]])<br />
<br />
===(6) Filing System===<br />
The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]). It is complementing the approach of technological neutrality followed by the GDPR.<br />
<br />
A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> This is already satisfied, when personal data on a particular person is retrievable.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'', C-25/17, Johovan Todistajat, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref><br />
<br />
The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref><br />
<br />
Other examples are:<br />
<br />
* Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Saved letter-correspondence with customers<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Covid-19-Guest-Lists sorted by date<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref><br />
<br />
===(7) Controller===<br />
The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> In this regard, it the controller is to be distinguished from the processor, which is explained in further detail in Article 4(8) GDPR.<br />
<br />
The responsibilities of the controller are defined in [[Article 24 GDPR]]. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR.<br />
<br />
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co controllership’, the entities have to determine their respective responsibilities for the processing within an agreement, according to [[Article 26 GDPR]]. Important, however, is the factual influence on the processing of the personal data,<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> see also Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref><br />
<br />
For example, a joint controllership is assumed between<br />
<br />
* Search-Engines-Operators and the websites of which information is structured, presented and complemented with advertisements within search results<ref>''CJEU'', C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 here]), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.</ref><br />
* Facebook and Administrators of Fan Pages on its social network<ref>''CJEU'', C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available [https://curia.europa.eu/juris/liste.jsf?num=C-210/16 here]), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.</ref><br />
* Facebook and Websites that integrated a ‘Like Button’<ref>''CJEU'', C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-40/17 here]), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.</ref><br />
<br />
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller according to [[Article 26 GDPR]]. For further information see the commentary on that provision.<br />
<br />
===(8) Processor===<br />
The processor is the next entity facing obligations from several provisions across the GDPR, complementing the concept of the controller explained in Article 4(7) GDPR. Any natural, legal person, public authority, agency or body that processes personal data on behalf of the controller qualifies as a processor.<br />
<br />
The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref> Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref><br />
<br />
Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> developed some examples as references for controller-processor relationships:<br />
<br />
* Outsourcing of Callcenters for Customer Communications<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Outsourcing of Mail Services<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Cloud Hosting and Grid Computing<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]) and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).]</ref><br />
* A Separated Entity Specialized in Data Processing within a Group of Companies<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref><br />
<br />
When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of special relevance is [[Article 28 GDPR]], that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on [[Article 28 GDPR|Article 28(3) GDPR]].<br />
<br />
A special form of the processor is the ‘sub processor’ engaged by the processor, which requires another processing agreement and authorisation through the controller. For further information see the commentary on [[Article 28 GDPR|Article 28(2),(4) GDPR]].<br />
<br />
===(9) Recipient===<br />
Another entity defined in the GDPR is the recipient. The notion of the recipient is kept very broadly, i.e. any party which personal data is disclosed to, independently of whether it is a third party or not. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]).</ref><br />
<br />
The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,<ref>More precise, [[Article 13 GDPR|Article 13(1)(e) GDPR]], [[Article 14 GDPR|Article 14(1)(e) GDPR]], [[Article 15 GDPR|Article 15(1)(c) GDPR]].</ref> the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind is, that the controller whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).</ref><br />
<br />
In this regard, it is discussed, whether a processor is also a recipient. One the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.<ref>See Article 4(8) GDPR and Article 4(10) GDPR.</ref> However, the concept of the recipient is completely independent of that of the third-party.<ref>See Article 4(9) GDPR, “whether a third party or not“.</ref> With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, [[Article 28 GDPR]] does not relieve the controller to inform the data subjects about its processors as recipients according to [[Article 13 GDPR|Article 13 to 15 GDPR]].<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).</ref><br />
<br />
Not considered a recipient are, on the other hand, particular units within a company, such as the staff council or dependent establishments of the controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).</ref> The wording of the provision suggests that the entity requires a particular degree of sovereignty in order to count as recipient.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 57 (C.H. Beck 2018) and ''Regenhardt'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 156 (Nomos 2018).</ref> Units that are inseparable part of the internal structure of the controller are therefore not to classify as recipients.<br />
<br />
Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref><br />
<br />
===(10) Third Party===<br />
The concept of a third party complements the previously defined entities. It constitutes a negative delimitation, as any person different from the data subject, controller, processor or any other person authorized to process personal data by the controller. Its notion becomes mainly relevant in terms of evaluating of interests, such as in Article 6 (1)(f) GDPR.<ref>See also [[Article 13 GDPR|Article 13(1)(d) GDPR]], [[Article 14 GDPR|Article 14(2)(b) GDPR]].</ref><br />
<br />
Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).</ref> Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).</ref> Similarly, internal staff of the controller is not a third party, unless the employee uses personal data for own purposes outside of the employment context.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).</ref> In this regard, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).</ref><br />
<br />
===(11) Consent===<br />
Consent is the first legal basis mentioned in Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data. It can be given either by a written, electronic or an oral statement.<ref>Recital 32 sentence 1 GDPR.</ref> Examples are ticking a box or actively choosing technical settings that indicate the data subject’s acceptance of the proposed processing of his or her personal data.<ref>Recital 32 sentence 2 GDPR.</ref><br />
<br />
The notion of consent within the GDPR is different from its constitutional equivalent in [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(2) ECFR]. Consent in the GDPR is neither a waiver of fundamental rights, nor a justification for interferences with fundamental rights.<ref>''Klement'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 7 GDPR, margin number 18 (NOMOS 2019).</ref> Rather, it should be seen as an exception from the general prohibition of processing of personal data under [[Article 6 GDPR|Article 6(1) GDPR]].<br />
<br />
To ensure that consent is not only a legal fiction, it requires additional and cumulative criteria, regulated within its definition and complemented through [[Article 7 GDPR]]. In order for consent to be valid, it has to be freely given, informed, specific and unambiguous. It is the controller’s duty to demonstrate that the data subject has given such consent to the processing of his or her personal data.<ref>[[Article 7 GDPR|Article 7(1) GDPR]], Recital 42 sentence 1 GDPR.</ref><br />
<br />
==== Freely Given ====<br />
Consent is only freely given, where there is no clear imbalance between the data subject and the controller.<ref>Recital 43 sentence 1 GDPR.</ref> Also, it shall not be considered freely given when it is conditional on the processing of personal data that is not necessary for the performance of the service.<ref>Recital 43 sentence 2 GDPR.</ref><br />
<br />
Examples where asymmetries of power and bundled consent usually occur are:<br />
<br />
* Relationships with Public Authorities<ref>Recital 43 sentence 1 GDPR, and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 98 (Carl Heymanns Verlag 2018).</ref><br />
* Employer-Employee-Relationships<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 71 (C.H. Beck 2018).</ref><br />
* Use of Major Digital Services with limited alternatives<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 73, 76 (C.H. Beck 2018).</ref><br />
<br />
==== Informed ====<br />
Consent needs to be provided in an intelligible and easily accessible form, using clear and plain language. Data Subjects must be able to understand the circumstances of processing of their personal data to estimate the consequences and implications of giving their consent.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin numbers 2, 5 (C.H. Beck 2020).</ref> According to recent case-law of the Court of Justice, the information shall also be “digested” by the data subject.<ref>EUCJ, C‑61/19, Orange România, 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/liste.jsf?num=C-61/19&language=en here]).</ref> This seems to give information a more substantive and functional role. Moreover, the information has to be presented in a manner which is clearly distinguishable from other matters, like terms and conditions. For more information, see the commentary on [[Article 7 GDPR|Article 7(2) GDPR]].<br />
<br />
==== Specific ====<br />
In accordance with the principle of transparency from [[Article 5 GDPR|Article 5(1)(b) GDPR]] consent must be provided for specific and legitimate purposes. While consent to the processing of personal data can be given for one or multiple purposes at the same time,<ref>Recital 32 sentences 5, 6 GDPR.</ref> intentions and limitations must be formulated as precisely as possible. A blanket consent to all kinds of purposes is therefore not valid. For more information, see the commentary on [[Article 6 GDPR|Article 6(1)(a) GDPR]].<br />
<br />
==== Unambiguous ====<br />
Consent must be given unambiguously in the form of clear and affirmative action. Silence, pre-ticked boxes or inactivity should not constitute consent.<ref>Recital 32 sentence 3 GDPR.</ref> This has been stressed through recent case law by the Court of Justice in terms of cookies, where a pre-checked checkbox which the user must deselect to refuse his or her consent cannot demonstrate active behaviour.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/1 here]).</ref><br />
<br />
==== Withdrawal ====<br />
Consent can be withdrawn at any time. Withdrawing of consent shall be as easy as it was giving it. The controller has to inform the data subject on the possibility to withdraw consent prior to the processing. For further information, see the commentary on [[Article 7 GDPR|Article 7(3) GDPR]].<br />
<br />
==== Capacity ====<br />
Generally, consent must be given directly by the data subject or a nominated representative.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).</ref> In the case of minors, the ability to consent is based on the individual cognitive faculty of the data subject.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin number 67 (C.H. Beck 2020); ''Ernst'', Die Einwilligung nach der Datenschutzgrundverordnung, in Zeitschrift für Datenschutz, 03/07, (2017), p. 111.</ref> In the online context, [[Article 8 GDPR|Article 8(1) GDPR]] provides a minimum age of 16, while member states may not reduce that age limit to below 13.<br />
<br />
==== Explicit Consent ====<br />
The more qualified form of ‘explicit’ consent is required within several other provisions across the GDPR. For more detailed information, check out the commentary on [[Article 9 GDPR|Article 9(2)(a) GDPR]], [[Article 22 GDPR|Article 22(2)(c) GDPR]] and [[Article 49 GDPR|Article 49(1) GDPR]].<br />
<br />
===(12) Personal Data Breach ===<br />
A ‘personal data breach’ can be considered as any security incident regarding personal data. In this regard, the breach has to concern the processing personal data (for ‘personal data’ see Article 4(1) GDPR, for ‘processing’ Article 4(2) GDPR). Although the transmission and storage of data are explicitly highlighted, any type of processing the concerned data is sufficient.<ref>Wording: “otherwise processed”.</ref><br />
<br />
Moreover, it requires a security breach within that processing. Such are any failures of technical or organizational safeguards implemented by the controller according to [[Article 32 GDPR]]. These failures can either be caused through targeted attacks from other parties or through mishandling of personal data through the controller or persons instructed, such as its employees.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).</ref> Some examples for security breaches are:<br />
<br />
* Hacking-Attacks on systems involving personal data,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Missing access protection to data storages or buildings,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Sending data to unintended recipients,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Employees unlawfully distributing data to third parties,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 180 (Nomos 2018).</ref><br />
* Accidentally publishing or leaking data on website,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
* Loss of physical data carriers,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Destruction of data storing infrastructure,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unrestorable encryption through Ransomware,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unlocked storage of employee files.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
<br />
As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
<br />
The notion of a personal data breach becomes especially relevant in terms of notification and communication obligations for controllers to data subjects and DPAs according to [[Article 33 GDPR|Articles 33, 34 GDPR]]. In this regard, the EDPB can issue guidelines, recommendations and best practices for handling personal data breaches, [[Article 70 GDPR|Article 70(1)(g)(h) GDPR]].<ref>See EDPB, Guidelines 01/2021 on Examples regarding Data Breach Notification, 14 January 2021 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf here]).</ref><br />
<br />
===(13) Genetic Data===<br />
‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions the growth, metabolism, appearance, diseases or alike, both already existent or entering in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin numbers 106, 108 (Carl Heymanns Verlag 2018).</ref> Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analyses.<br />
<br />
The classification as genetic data is becoming relevant in terms of [[Article 9 GDPR|Article 9(1) GDPR]], that only allows its processing under strict requirements.<ref>Additionally, member states may maintain or introduce further conditions and limitations for the processing of genetic data, [[Article 9 GDPR|Article 9(4) GDPR]].</ref> This is due to the sensitive character of such data, that allows a unique identification of the data subject and at the same time reveals personal health data<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017).</ref> on them and biological relatives.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017); ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 182 (Nomos 2018).</ref> Especially in terms of heritage diseases, genetic data therefore carries a high risk of abuse in terms of employment and insurances.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 96 (C.H. Beck 2018).</ref><br />
<br />
===(14) Biometric Data===<br />
‘Biometric data’ means data referring to the physical, physiological and behavioural characteristics of a natural person obtained from specific technical processing allowing for an unique identification. While this generally includes any means to analyse and measure the characteristics of humans<ref>Usually through the creation of referential patterns that are than compared with the data subject later for unique identification, see ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 183 (Nomos 2018).</ref> the technical processing and unique identification requirements place higher burdens.<br />
<br />
The definition itself gives facial images and fingerprints,<ref>Also called 'Dactyloscopic data'.</ref> as examples for biometric data. However, the requirement for specific technical processing, ensures that simple pictures or even passport photographs shall not be considered as such.<ref>Recital 51 GDPR, “''The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person''”.</ref> It is the further processing, for example through the application of facial recognition software, that renders the extracted patterns as biometric data. In this regard, also IRIS Scanners, DNS-Comparisons, voice or gait pattern analyses,<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> as well as typing patterns or even handwritten signatures<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 111 (Carl Heymanns Verlag 2018).</ref> may be considered as biometric data.<br />
<br />
Other data, that does not allow an unique identification, such as the body size or blood type, are not biometric data.<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> However, these could then fall under the definition of ‘health data’ that offers similar protection like for biometric data, according to [[Article 9 GDPR|Article 9(1) GDPR]].<br />
<br />
===(15) Data Concerning Health===<br />
‘Data concerning health’, or simply ‘health data’, means any data related to the physical or mental health of a natural person, especially the procurement of health care services revealing such information. According to Recital 35 GDPR, these include all data referring to the health status of the data subject from the past, current or future. In this regard, any information on diseases, risks, disabilities, their treatment and medical histories of a particular natural person explicitly qualify as health data.<ref>Recital 35 sentence 2 GDPR.</ref><br />
<br />
Other examples for health data are information about:<br />
<br />
* Addictions to alcohol, drugs or medications as well as the participation in self-help groups<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
* Hospitalizations, sick notes and sick payments<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
* Information the physical or mental invalidity to work<ref>''Petri'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 15 GDPR, margin number 5 (NOMOS 2019).</ref><br />
* Data from health- or fitness apps on eating or movement patterns, for example from wearables and smartphones<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 118 (Carl Heymanns Verlag 2018).</ref><br />
<br />
The notion of health data is therefore broader than ‘medicinal data’.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 59 (Deutscher Fachverlag 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018).</ref> Furthermore, it strongly overlaps with the notions of genetic and biometric data.<ref>See Recital 35, “''Personal data concerning health should include […] information derived from the testing or examination of one’s body, substances, such as genetic and biological samples''”.</ref> in order to allow a seamless high protection within the scope of [[Article 9 GDPR]].<ref>However, in some cases (e.g. the public health sector) sensitive data can be necessary to be processed without the data subjects consent, see Recital 54 GDPR.</ref> For further information, check the commentary on [[Article 9 GDPR]].<br />
<br />
===(16) Main Establishment===<br />
If a controller or a processor have establishments in more than one member states, identifying its ‘main establishment’ is the first step to recognize the lead supervisory authority in a cross-border procedure.<br />
<br />
It is the role of a data protection authorities to properly define the main establishment of an entity according to objective criteria and subsequently determine the corresponding lead authority.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> The burden of proof falls on controllers and processors to demonstrate to the relevant supervisory authorities where the relevant processing decisions are taken and implemented. In this regard, however, the WP29 stressed that the GDPR does not permit ‘forum shopping’ and conclusions cannot be based solely on statements by the organisation under review. The supervisory authorities can rebut the controller’s analysis based on an objective examination of the relevant facts, requesting further information where required.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
==== Main Establishment of a Controller ====<br />
As a general rule, the main establishment of a controller should be the place of its central administration in the Union, or in other words, “''the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented''”.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 5 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> <br />
<br />
Recital 22 GDPR defines an establishment as ‘the effective and real exercise of activity through stable arrangements’. The legal form of such arrangements is irrelevant. According to the CJEU, an establishment depends on “''both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned.''”<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 29 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref> In this regard, already the presence of a single representative can constitute a stable arrangement when acting with a sufficient degree of stability and the necessary equipment to provide the specific services in the member states concerned.<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 30 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref><br />
<br />
If a controller’s main establishment is not the place of its central administration in the EU, it is necessary to determine the establishment based on where the effective and real exercise of main decisions on the purposes and means of processing take place.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 6 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> It should depend neither on the place of the processing nor the use of technical means and technologies for processing personal data or processing activities. Instead, to determine the controller’s main establishment the WP29 developed several guiding questions:<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
* Where are decisions about the purposes and means of the finally signed off’?<br />
* Where are decisions about business activities that involve data processing made?<br />
* Where does the power to have decisions implemented effectively lie?<br />
* Where is the Director with responsibility for cross border processing located?<br />
* Where is the controller or processor registered as a company?<br />
<br />
A supervisory authority may require from a controller to present additional information proving that its main establishment fulfils criteria envisaged in the GDPR.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
==== Main Establishment of a Processor ====<br />
Similarly to the rules for controllers, the main establishment of a processor located in multiple member states shall also be the place of its central administration. <br />
<br />
However, when there is no central administration in the Union, the rules applying to processors are formulated differently. In such cases, the main establishment of a processor is where the main processing activities take place in a Union’s establishment subject to the obligations under GDPR. This implies that the processing of personal data does not need to be carried out by the relevant establishment itself but only in in the context of its activities within the scope of the GDPR.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 235 (Oxford University Press 2020).</ref> The meaning of ‘the context of activities’ has already been specified by the CJEU, building on a broad definition of ‘establishment’ and clarifying that already the intention of a member state’s establishment to provide advertisement space for a third country undertaking is processing of personal data in the context of the Union’s establishment.<ref>CJEU, C-131/12, Google Spain, 13 May 2014, margin number 55 (available [https://curia.europa.eu/juris/liste.jsf?num=c-131/12 here]).</ref><br />
<br />
Following up on the CJEU judgement, the WP29 specified that EU law may apply to data processing activities of controllers or processors established outside the EU “''even if the local establishment is not actually taking any role in the data processing itself''”.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref> This reasoning can be based on an “''inextricable link''” between activities of an establishment in the EU and data processing by a non-EU controller or processor.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref><br />
<br />
==== '''Cases Involving Both the Controller and the Processor''' ====<br />
Recital 36 GDPR explains that “''in cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment''”. For further information determining the lead and concerned supervisory authorities in cross border contexts see the commentary on [[Article 56 GDPR]] and Article 4(22)-(23) GDPR.<br />
<br />
===(17) Representative===<br />
Representative are any legal or natural persons established in the union designated by a controller or processor, in accordance with [[Article 27 GDPR]]. They are not to be confused with the executive organ of the controller, but they serve as contact persons for data subjects and DPAs towards controllers and processors that are only outside the Union.<br />
<br />
In this regard, the notion of a representative becomes relevant in terms actors that are falling within the territorial scope of the GDPR without having any establishment within the union (see [[Article 3 GDPR|Article 3(2) GDPR]] and Recital 80 GDPR).<ref>According to which the GDPR applies to controllers outside the union processing personal data on subjects within the union ''“related to the offering of goods or services“'' or ''“the monitoring of their behaviour”''.</ref> In such cases, the representative becomes the addressee of enforcement proceedings in the event of non-compliance of the respective controller or processor.<ref>Recital 80 sentence 6 GDPR.</ref> This way, the representative prevents such actors only established in a third country, to become “infeasible” for data subjects and DPA’s within the union. Examples for representatives may therefore be designated employees, lawyers or whole firms established within the union.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 106 (C.H. Beck 2018).</ref><br />
<br />
The designation shall happen in a written form, containing the a mandate to represent the controller or processor under the obligations from the GDPR.<ref>Recital 80 sentences 3, 4 GDPR.</ref> At the same time. the designation of a representative does not exclude the responsibility or liability of the controller or processor themselves.<ref>Recital 80 sentence 5 GDPR.</ref> However, it remains unclear how entities not providing a representative may be tackled by the GDPR.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 204 (Nomos 2018).</ref> In this regard, especially public authorities are excluded from the designation of a representative.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 52 (C.H. Beck 2017).</ref><br />
<br />
===(18) Enterprise===<br />
An enterprise’ means any natural or legal person, partnerships or associations regularly engaged in economic activities. With this definition, the GDPR introduced a broad concept of the enterprise, irrespective of their size, legal form or interests pursued.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 127 (Carl Heymanns Verlag 2018).</ref><br />
<br />
An enterprise requires a regular engagement in economic activities, which means activities intended for a long-term and not only in an occasional manner.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 129 (Carl Heymanns Verlag 2018).</ref> Excluded from such activities are completely familiarly or personal activities (household activities, see also the commentary on [[Article 2 GDPR|Article 2(c) GDPR]]).<br />
<br />
While the English version of the GDPR distinguishes between the ‘enterprise’ and ‘undertaking’ the translation to other languages merged them into a single notion.<ref>For example, in German ("Unternehmen"), in French ("entreprise") and in Spanish ("empresa").]</ref> This causes controversy around the assessment of fines according to [[Article 83 GDPR]], which by English language refers to the term of undertaking in accordance with [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:12012E/TXT&from=EN#page=42 Articles 101, 102 TFEU] and thereby not to the definition of Article 4(18) GDPR.<ref>See Recital 150 sentence 3 GDPR.</ref> In any case, the notion is to be understood broadly when enforcing actions or determining fines on a particular entity (see commentary on [[Article 83 GDPR]]).<br />
<br />
===(19) Group of undertakings===<br />
A group of undertakings consists of a leading (“controlling”) entity and one or more thereof dependent (“controlled”) entities.<ref>Recital 37 sentence 1 GDPR.</ref> The central characteristic for a group of undertakings is therefore, that one entity exerts a dominant influence over the others, for example be through ownership or financial participation.<ref>Recital 37 sentence 1 GDPR.</ref> This is usually the case between a holding company and their subsidiaries.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 58 (C.H. Beck 2017).</ref><br />
<br />
In this regard, the mere possibility of exercising control over the the other entity is sufficient, a real exercise of such control is not necessary.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 76 (ottoschmidt 2018).</ref> As long as one entity has the factual power to assert its will over the other entities,<ref>For example through to have personal data protection rules implemented; see Recital 37 sentence 1 GDPR.</ref> they qualify as group of undertakings.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 78 (ottoschmidt 2018).</ref><br />
<br />
Already two undertakings are sufficient to form a group.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 80 (ottoschmidt 2018).</ref> However, a controller giving mere instructions to a processor regarding the processing of personal data does not qualify as a group of undertakings.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 221 (Nomos 2018).</ref><br />
<br />
The classification as a group of undertakings becomes relevant for several provision across the GDPR, such as <br />
<br />
- The joint designation of a Data Protection Officer ([[Article 37 GDPR|Article 37(2) GDPR]]),<br />
<br />
- The formulation of binding corporate rules (Article 4(20) GDPR, [[Article 47 GDPR]]),<br />
<br />
- The data transfer for internal administrative purposes (Recital 48 GDPR in conjunction with [[Article 6 GDPR|Article 6(1)(f) GDPR]]),<ref>''Pötters/Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 70 (Deutscher Fachverlag 2018), as “''group privilege light''”.</ref> and<br />
<br />
- The determination of the main establishment (Article 4(16) GDPR, Recital 22 GDPR).<br />
<br />
However, the notion is to be distinguished from a ‘group of enterprises engaged in a joint economic activity’ also used throughout several provisions across the GDPR. These consist on separate and independent entities, which do not exercise control over each other<ref>''Feiler, Forgó,'' EU-DSGVO, Article 4 GDPR, margin number 49 (Verlag Österreich 2017).</ref> and therefore cannot designate a single Data Protection Officer or rely on internal administrative data transfers.<br />
<br />
===(20) Binding corporate rules===<br />
You can help us fill this section!<br />
===(21) Supervisory authority===<br />
You can help us fill this section!<br />
===(22) Supervisory authority concerned===<br />
You can help us fill this section!<br />
===(23) Cross-border processing===<br />
You can help us fill this section!<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20036Article 4 GDPR2021-09-23T13:42:37Z<p>JS: Uploading Article 4(18) GDPR</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
* '''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).</ref><br />
* '''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
* '''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
* '''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
* '''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
* '''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
* '''Alteration''' (changes to the form or content of data), such as corrections, pseudonymisation or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
* '''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
* '''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
* '''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
* '''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company. <br />
* '''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
* '''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
* '''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
* '''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
* '''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
* '''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
* '''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> <br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of Processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref><br />
<br />
Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.<ref>Recital 30 sentence 1 GDPR.</ref> as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore<br />
<br />
* Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref><br />
* Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref><br />
* Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref><br />
<br />
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR, such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref><br />
<br />
===(5) Pseudonymisation===<br />
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.<br />
<br />
Examples for the pseudonymisation of personal data include:<br />
<br />
* Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref><br />
* Encryption or hashing of data<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref><br />
* Pixelation of video materials<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref> <br />
<br />
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> And while some scholars argue for a ‘subjective anonymisation’,<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).</ref> the party undertaking the pseudonymisation is typically able to reassign the data subject.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).</ref><br />
<br />
In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref><br />
<br />
* Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]])<br />
* Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]])<br />
* Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]])<br />
* Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]])<br />
* Implementing Data Protection by Design and Default ([[Article 25 GDPR]])<br />
<br />
===(6) Filing System===<br />
The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]). It is complementing the approach of technological neutrality followed by the GDPR.<br />
<br />
A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> This is already satisfied, when personal data on a particular person is retrievable.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'', C-25/17, Johovan Todistajat, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref><br />
<br />
The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref><br />
<br />
Other examples are:<br />
<br />
* Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Saved letter-correspondence with customers<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Covid-19-Guest-Lists sorted by date<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref><br />
<br />
===(7) Controller===<br />
The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> In this regard, it the controller is to be distinguished from the processor, which is explained in further detail in Article 4(8) GDPR.<br />
<br />
The responsibilities of the controller are defined in [[Article 24 GDPR]]. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR.<br />
<br />
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co controllership’, the entities have to determine their respective responsibilities for the processing within an agreement, according to [[Article 26 GDPR]]. Important, however, is the factual influence on the processing of the personal data,<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> see also Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref><br />
<br />
For example, a joint controllership is assumed between<br />
<br />
* Search-Engines-Operators and the websites of which information is structured, presented and complemented with advertisements within search results<ref>''CJEU'', C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 here]), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.</ref><br />
* Facebook and Administrators of Fan Pages on its social network<ref>''CJEU'', C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available [https://curia.europa.eu/juris/liste.jsf?num=C-210/16 here]), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.</ref><br />
* Facebook and Websites that integrated a ‘Like Button’<ref>''CJEU'', C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-40/17 here]), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.</ref><br />
<br />
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller according to [[Article 26 GDPR]]. For further information see the commentary on that provision.<br />
<br />
===(8) Processor===<br />
The processor is the next entity facing obligations from several provisions across the GDPR, complementing the concept of the controller explained in Article 4(7) GDPR. Any natural, legal person, public authority, agency or body that processes personal data on behalf of the controller qualifies as a processor.<br />
<br />
The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref> Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref><br />
<br />
Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> developed some examples as references for controller-processor relationships:<br />
<br />
* Outsourcing of Callcenters for Customer Communications<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Outsourcing of Mail Services<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Cloud Hosting and Grid Computing<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]) and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).]</ref><br />
* A Separated Entity Specialized in Data Processing within a Group of Companies<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref><br />
<br />
When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of special relevance is [[Article 28 GDPR]], that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on [[Article 28 GDPR|Article 28(3) GDPR]].<br />
<br />
A special form of the processor is the ‘sub processor’ engaged by the processor, which requires another processing agreement and authorisation through the controller. For further information see the commentary on [[Article 28 GDPR|Article 28(2),(4) GDPR]].<br />
<br />
===(9) Recipient===<br />
Another entity defined in the GDPR is the recipient. The notion of the recipient is kept very broadly, i.e. any party which personal data is disclosed to, independently of whether it is a third party or not. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]).</ref><br />
<br />
The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,<ref>More precise, [[Article 13 GDPR|Article 13(1)(e) GDPR]], [[Article 14 GDPR|Article 14(1)(e) GDPR]], [[Article 15 GDPR|Article 15(1)(c) GDPR]].</ref> the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind is, that the controller whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).</ref><br />
<br />
In this regard, it is discussed, whether a processor is also a recipient. One the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.<ref>See Article 4(8) GDPR and Article 4(10) GDPR.</ref> However, the concept of the recipient is completely independent of that of the third-party.<ref>See Article 4(9) GDPR, “whether a third party or not“.</ref> With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, [[Article 28 GDPR]] does not relieve the controller to inform the data subjects about its processors as recipients according to [[Article 13 GDPR|Article 13 to 15 GDPR]].<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).</ref><br />
<br />
Not considered a recipient are, on the other hand, particular units within a company, such as the staff council or dependent establishments of the controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).</ref> The wording of the provision suggests that the entity requires a particular degree of sovereignty in order to count as recipient.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 57 (C.H. Beck 2018) and ''Regenhardt'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 156 (Nomos 2018).</ref> Units that are inseparable part of the internal structure of the controller are therefore not to classify as recipients.<br />
<br />
Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref><br />
<br />
===(10) Third Party===<br />
The concept of a third party complements the previously defined entities. It constitutes a negative delimitation, as any person different from the data subject, controller, processor or any other person authorized to process personal data by the controller. Its notion becomes mainly relevant in terms of evaluating of interests, such as in Article 6 (1)(f) GDPR.<ref>See also [[Article 13 GDPR|Article 13(1)(d) GDPR]], [[Article 14 GDPR|Article 14(2)(b) GDPR]].</ref><br />
<br />
Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).</ref> Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).</ref> Similarly, internal staff of the controller is not a third party, unless the employee uses personal data for own purposes outside of the employment context.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).</ref> In this regard, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).</ref><br />
<br />
===(11) Consent===<br />
Consent is the first legal basis mentioned in Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data. It can be given either by a written, electronic or an oral statement.<ref>Recital 32 sentence 1 GDPR.</ref> Examples are ticking a box or actively choosing technical settings that indicate the data subject’s acceptance of the proposed processing of his or her personal data.<ref>Recital 32 sentence 2 GDPR.</ref><br />
<br />
The notion of consent within the GDPR is different from its constitutional equivalent in [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(2) ECFR]. Consent in the GDPR is neither a waiver of fundamental rights, nor a justification for interferences with fundamental rights.<ref>''Klement'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 7 GDPR, margin number 18 (NOMOS 2019).</ref> Rather, it should be seen as an exception from the general prohibition of processing of personal data under [[Article 6 GDPR|Article 6(1) GDPR]].<br />
<br />
To ensure that consent is not only a legal fiction, it requires additional and cumulative criteria, regulated within its definition and complemented through [[Article 7 GDPR]]. In order for consent to be valid, it has to be freely given, informed, specific and unambiguous. It is the controller’s duty to demonstrate that the data subject has given such consent to the processing of his or her personal data.<ref>[[Article 7 GDPR|Article 7(1) GDPR]], Recital 42 sentence 1 GDPR.</ref><br />
<br />
==== Freely Given ====<br />
Consent is only freely given, where there is no clear imbalance between the data subject and the controller.<ref>Recital 43 sentence 1 GDPR.</ref> Also, it shall not be considered freely given when it is conditional on the processing of personal data that is not necessary for the performance of the service.<ref>Recital 43 sentence 2 GDPR.</ref><br />
<br />
Examples where asymmetries of power and bundled consent usually occur are:<br />
<br />
* Relationships with Public Authorities<ref>Recital 43 sentence 1 GDPR, and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 98 (Carl Heymanns Verlag 2018).</ref><br />
* Employer-Employee-Relationships<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 71 (C.H. Beck 2018).</ref><br />
* Use of Major Digital Services with limited alternatives<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 73, 76 (C.H. Beck 2018).</ref><br />
<br />
==== Informed ====<br />
Consent needs to be provided in an intelligible and easily accessible form, using clear and plain language. Data Subjects must be able to understand the circumstances of processing of their personal data to estimate the consequences and implications of giving their consent.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin numbers 2, 5 (C.H. Beck 2020).</ref> According to recent case-law of the Court of Justice, the information shall also be “digested” by the data subject.<ref>EUCJ, C‑61/19, Orange România, 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/liste.jsf?num=C-61/19&language=en here]).</ref> This seems to give information a more substantive and functional role. Moreover, the information has to be presented in a manner which is clearly distinguishable from other matters, like terms and conditions. For more information, see the commentary on [[Article 7 GDPR|Article 7(2) GDPR]].<br />
<br />
==== Specific ====<br />
In accordance with the principle of transparency from [[Article 5 GDPR|Article 5(1)(b) GDPR]] consent must be provided for specific and legitimate purposes. While consent to the processing of personal data can be given for one or multiple purposes at the same time,<ref>Recital 32 sentences 5, 6 GDPR.</ref> intentions and limitations must be formulated as precisely as possible. A blanket consent to all kinds of purposes is therefore not valid. For more information, see the commentary on [[Article 6 GDPR|Article 6(1)(a) GDPR]].<br />
<br />
==== Unambiguous ====<br />
Consent must be given unambiguously in the form of clear and affirmative action. Silence, pre-ticked boxes or inactivity should not constitute consent.<ref>Recital 32 sentence 3 GDPR.</ref> This has been stressed through recent case law by the Court of Justice in terms of cookies, where a pre-checked checkbox which the user must deselect to refuse his or her consent cannot demonstrate active behaviour.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/1 here]).</ref><br />
<br />
==== Withdrawal ====<br />
Consent can be withdrawn at any time. Withdrawing of consent shall be as easy as it was giving it. The controller has to inform the data subject on the possibility to withdraw consent prior to the processing. For further information, see the commentary on [[Article 7 GDPR|Article 7(3) GDPR]].<br />
<br />
==== Capacity ====<br />
Generally, consent must be given directly by the data subject or a nominated representative.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).</ref> In the case of minors, the ability to consent is based on the individual cognitive faculty of the data subject.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin number 67 (C.H. Beck 2020); ''Ernst'', Die Einwilligung nach der Datenschutzgrundverordnung, in Zeitschrift für Datenschutz, 03/07, (2017), p. 111.</ref> In the online context, [[Article 8 GDPR|Article 8(1) GDPR]] provides a minimum age of 16, while member states may not reduce that age limit to below 13.<br />
<br />
==== Explicit Consent ====<br />
The more qualified form of ‘explicit’ consent is required within several other provisions across the GDPR. For more detailed information, check out the commentary on [[Article 9 GDPR|Article 9(2)(a) GDPR]], [[Article 22 GDPR|Article 22(2)(c) GDPR]] and [[Article 49 GDPR|Article 49(1) GDPR]].<br />
<br />
===(12) Personal Data Breach ===<br />
A ‘personal data breach’ can be considered as any security incident regarding personal data. In this regard, the breach has to concern the processing personal data (for ‘personal data’ see Article 4(1) GDPR, for ‘processing’ Article 4(2) GDPR). Although the transmission and storage of data are explicitly highlighted, any type of processing the concerned data is sufficient.<ref>Wording: “otherwise processed”.</ref><br />
<br />
Moreover, it requires a security breach within that processing. Such are any failures of technical or organizational safeguards implemented by the controller according to [[Article 32 GDPR]]. These failures can either be caused through targeted attacks from other parties or through mishandling of personal data through the controller or persons instructed, such as its employees.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).</ref> Some examples for security breaches are:<br />
<br />
* Hacking-Attacks on systems involving personal data,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Missing access protection to data storages or buildings,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Sending data to unintended recipients,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Employees unlawfully distributing data to third parties,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 180 (Nomos 2018).</ref><br />
* Accidentally publishing or leaking data on website,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
* Loss of physical data carriers,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Destruction of data storing infrastructure,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unrestorable encryption through Ransomware,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unlocked storage of employee files.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
<br />
As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
<br />
The notion of a personal data breach becomes especially relevant in terms of notification and communication obligations for controllers to data subjects and DPAs according to [[Article 33 GDPR|Articles 33, 34 GDPR]]. In this regard, the EDPB can issue guidelines, recommendations and best practices for handling personal data breaches, [[Article 70 GDPR|Article 70(1)(g)(h) GDPR]].<ref>See EDPB, Guidelines 01/2021 on Examples regarding Data Breach Notification, 14 January 2021 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf here]).</ref><br />
<br />
===(13) Genetic Data===<br />
‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions the growth, metabolism, appearance, diseases or alike, both already existent or entering in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin numbers 106, 108 (Carl Heymanns Verlag 2018).</ref> Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analyses.<br />
<br />
The classification as genetic data is becoming relevant in terms of [[Article 9 GDPR|Article 9(1) GDPR]], that only allows its processing under strict requirements.<ref>Additionally, member states may maintain or introduce further conditions and limitations for the processing of genetic data, [[Article 9 GDPR|Article 9(4) GDPR]].</ref> This is due to the sensitive character of such data, that allows a unique identification of the data subject and at the same time reveals personal health data<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017).</ref> on them and biological relatives.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017); ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 182 (Nomos 2018).</ref> Especially in terms of heritage diseases, genetic data therefore carries a high risk of abuse in terms of employment and insurances.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 96 (C.H. Beck 2018).</ref><br />
<br />
===(14) Biometric Data===<br />
‘Biometric data’ means data referring to the physical, physiological and behavioural characteristics of a natural person obtained from specific technical processing allowing for an unique identification. While this generally includes any means to analyse and measure the characteristics of humans<ref>Usually through the creation of referential patterns that are than compared with the data subject later for unique identification, see ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 183 (Nomos 2018).</ref> the technical processing and unique identification requirements place higher burdens.<br />
<br />
The definition itself gives facial images and fingerprints,<ref>Also called 'Dactyloscopic data'.</ref> as examples for biometric data. However, the requirement for specific technical processing, ensures that simple pictures or even passport photographs shall not be considered as such.<ref>Recital 51 GDPR, “''The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person''”.</ref> It is the further processing, for example through the application of facial recognition software, that renders the extracted patterns as biometric data. In this regard, also IRIS Scanners, DNS-Comparisons, voice or gait pattern analyses,<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> as well as typing patterns or even handwritten signatures<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 111 (Carl Heymanns Verlag 2018).</ref> may be considered as biometric data.<br />
<br />
Other data, that does not allow an unique identification, such as the body size or blood type, are not biometric data.<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> However, these could then fall under the definition of ‘health data’ that offers similar protection like for biometric data, according to [[Article 9 GDPR|Article 9(1) GDPR]].<br />
<br />
===(15) Data Concerning Health===<br />
‘Data concerning health’, or simply ‘health data’, means any data related to the physical or mental health of a natural person, especially the procurement of health care services revealing such information. According to Recital 35 GDPR, these include all data referring to the health status of the data subject from the past, current or future. In this regard, any information on diseases, risks, disabilities, their treatment and medical histories of a particular natural person explicitly qualify as health data.<ref>Recital 35 sentence 2 GDPR.</ref><br />
<br />
Other examples for health data are information about:<br />
<br />
* Addictions to alcohol, drugs or medications as well as the participation in self-help groups<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
* Hospitalizations, sick notes and sick payments<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
* Information the physical or mental invalidity to work<ref>''Petri'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 15 GDPR, margin number 5 (NOMOS 2019).</ref><br />
* Data from health- or fitness apps on eating or movement patterns, for example from wearables and smartphones<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 118 (Carl Heymanns Verlag 2018).</ref><br />
<br />
The notion of health data is therefore broader than ‘medicinal data’.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 59 (Deutscher Fachverlag 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018).</ref> Furthermore, it strongly overlaps with the notions of genetic and biometric data.<ref>See Recital 35, “''Personal data concerning health should include […] information derived from the testing or examination of one’s body, substances, such as genetic and biological samples''”.</ref> in order to allow a seamless high protection within the scope of [[Article 9 GDPR]].<ref>However, in some cases (e.g. the public health sector) sensitive data can be necessary to be processed without the data subjects consent, see Recital 54 GDPR.</ref> For further information, check the commentary on [[Article 9 GDPR]].<br />
<br />
===(16) Main Establishment===<br />
If a controller or a processor have establishments in more than one member states, identifying its ‘main establishment’ is the first step to recognize the lead supervisory authority in a cross-border procedure.<br />
<br />
It is the role of a data protection authorities to properly define the main establishment of an entity according to objective criteria and subsequently determine the corresponding lead authority.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> The burden of proof falls on controllers and processors to demonstrate to the relevant supervisory authorities where the relevant processing decisions are taken and implemented. In this regard, however, the WP29 stressed that the GDPR does not permit ‘forum shopping’ and conclusions cannot be based solely on statements by the organisation under review. The supervisory authorities can rebut the controller’s analysis based on an objective examination of the relevant facts, requesting further information where required.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
==== Main Establishment of a Controller ====<br />
As a general rule, the main establishment of a controller should be the place of its central administration in the Union, or in other words, “''the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented''”.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 5 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> <br />
<br />
Recital 22 GDPR defines an establishment as ‘the effective and real exercise of activity through stable arrangements’. The legal form of such arrangements is irrelevant. According to the CJEU, an establishment depends on “''both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned.''”<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 29 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref> In this regard, already the presence of a single representative can constitute a stable arrangement when acting with a sufficient degree of stability and the necessary equipment to provide the specific services in the member states concerned.<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 30 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref><br />
<br />
If a controller’s main establishment is not the place of its central administration in the EU, it is necessary to determine the establishment based on where the effective and real exercise of main decisions on the purposes and means of processing take place.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 6 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> It should depend neither on the place of the processing nor the use of technical means and technologies for processing personal data or processing activities. Instead, to determine the controller’s main establishment the WP29 developed several guiding questions:<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
* Where are decisions about the purposes and means of the finally signed off’?<br />
* Where are decisions about business activities that involve data processing made?<br />
* Where does the power to have decisions implemented effectively lie?<br />
* Where is the Director with responsibility for cross border processing located?<br />
* Where is the controller or processor registered as a company?<br />
<br />
A supervisory authority may require from a controller to present additional information proving that its main establishment fulfils criteria envisaged in the GDPR.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
==== Main Establishment of a Processor ====<br />
Similarly to the rules for controllers, the main establishment of a processor located in multiple member states shall also be the place of its central administration. <br />
<br />
However, when there is no central administration in the Union, the rules applying to processors are formulated differently. In such cases, the main establishment of a processor is where the main processing activities take place in a Union’s establishment subject to the obligations under GDPR. This implies that the processing of personal data does not need to be carried out by the relevant establishment itself but only in in the context of its activities within the scope of the GDPR.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 235 (Oxford University Press 2020).</ref> The meaning of ‘the context of activities’ has already been specified by the CJEU, building on a broad definition of ‘establishment’ and clarifying that already the intention of a member state’s establishment to provide advertisement space for a third country undertaking is processing of personal data in the context of the Union’s establishment.<ref>CJEU, C-131/12, Google Spain, 13 May 2014, margin number 55 (available [https://curia.europa.eu/juris/liste.jsf?num=c-131/12 here]).</ref><br />
<br />
Following up on the CJEU judgement, the WP29 specified that EU law may apply to data processing activities of controllers or processors established outside the EU “''even if the local establishment is not actually taking any role in the data processing itself''”.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref> This reasoning can be based on an “''inextricable link''” between activities of an establishment in the EU and data processing by a non-EU controller or processor.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref><br />
<br />
==== '''Cases Involving Both the Controller and the Processor''' ====<br />
Recital 36 GDPR explains that “''in cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment''”. For further information determining the lead and concerned supervisory authorities in cross border contexts see the commentary on [[Article 56 GDPR]] and Article 4(22)-(23) GDPR.<br />
<br />
===(17) Representative===<br />
Representative are any legal or natural persons established in the union designated by a controller or processor, in accordance with [[Article 27 GDPR]]. They are not to be confused with the executive organ of the controller, but they serve as contact persons for data subjects and DPAs towards controllers and processors that are only outside the Union.<br />
<br />
In this regard, the notion of a representative becomes relevant in terms actors that are falling within the territorial scope of the GDPR without having any establishment within the union (see [[Article 3 GDPR|Article 3(2) GDPR]] and Recital 80 GDPR).<ref>According to which the GDPR applies to controllers outside the union processing personal data on subjects within the union ''“related to the offering of goods or services“'' or ''“the monitoring of their behaviour”''.</ref> In such cases, the representative becomes the addressee of enforcement proceedings in the event of non-compliance of the respective controller or processor.<ref>Recital 80 sentence 6 GDPR.</ref> This way, the representative prevents such actors only established in a third country, to become “infeasible” for data subjects and DPA’s within the union. Examples for representatives may therefore be designated employees, lawyers or whole firms established within the union.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 106 (C.H. Beck 2018).</ref><br />
<br />
The designation shall happen in a written form, containing the a mandate to represent the controller or processor under the obligations from the GDPR.<ref>Recital 80 sentences 3, 4 GDPR.</ref> At the same time. the designation of a representative does not exclude the responsibility or liability of the controller or processor themselves.<ref>Recital 80 sentence 5 GDPR.</ref> However, it remains unclear how entities not providing a representative may be tackled by the GDPR.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 204 (Nomos 2018).</ref> In this regard, especially public authorities are excluded from the designation of a representative.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 52 (C.H. Beck 2017).</ref><br />
<br />
===(18) Enterprise===<br />
An enterprise’ means any natural or legal person, partnerships or associations regularly engaged in economic activities. With this definition, the GDPR introduced a broad concept of the enterprise, irrespective of their size, legal form or interests pursued.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 127 (Carl Heymanns Verlag 2018).</ref><br />
<br />
An enterprise requires a regular engagement in economic activities, which means activities intended for a long-term and not only in an occasional manner.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 129 (Carl Heymanns Verlag 2018).</ref> Excluded from such activities are completely familiary or personal activities (household activities, see also the commentary on [[Article 2 GDPR|Article 2(c) GDPR]]).<br />
<br />
While the English version of the GDPR distinguishes between the ‘enterprise’ and ‘undertaking’ the translation to other languages merged them into a single notion.<ref>For example, in German ("Unternehmen"), in French ("entreprise") and in Spanish ("empresa").]</ref> This causes controversy around the assessment of fines according to [[Article 83 GDPR]], which by English language refers to the term of undertaking in accordance with [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:12012E/TXT&from=EN#page=42 Articles 101, 102 TFEU] and thereby not to the definition of Article 4(18) GDPR.<ref>See Recital 150 sentence 3 GDPR.</ref> In any case, the notion is to be understood broadly when enforcing actions or determining fines on a particular entity (see commentary on [[Article 83 GDPR]]).<br />
<br />
===(19) Group of undertakings===<br />
You can help us fill this section!<br />
===(20) Binding corporate rules===<br />
You can help us fill this section!<br />
===(21) Supervisory authority===<br />
You can help us fill this section!<br />
===(22) Supervisory authority concerned===<br />
You can help us fill this section!<br />
===(23) Cross-border processing===<br />
You can help us fill this section!<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20035Article 4 GDPR2021-09-23T13:37:00Z<p>JS: Uploading Article 4(17) GDPR</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
* '''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).</ref><br />
* '''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
* '''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
* '''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
* '''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
* '''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
* '''Alteration''' (changes to the form or content of data), such as corrections, pseudonymisation or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
* '''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
* '''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
* '''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
* '''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company. <br />
* '''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
* '''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
* '''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
* '''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
* '''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
* '''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
* '''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> <br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of Processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref><br />
<br />
Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.<ref>Recital 30 sentence 1 GDPR.</ref> as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore<br />
<br />
* Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref><br />
* Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref><br />
* Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref><br />
<br />
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR, such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref><br />
<br />
===(5) Pseudonymisation===<br />
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.<br />
<br />
Examples for the pseudonymisation of personal data include:<br />
<br />
* Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref><br />
* Encryption or hashing of data<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref><br />
* Pixelation of video materials<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref> <br />
<br />
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> And while some scholars argue for a ‘subjective anonymisation’,<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).</ref> the party undertaking the pseudonymisation is typically able to reassign the data subject.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).</ref><br />
<br />
In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref><br />
<br />
* Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]])<br />
* Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]])<br />
* Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]])<br />
* Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]])<br />
* Implementing Data Protection by Design and Default ([[Article 25 GDPR]])<br />
<br />
===(6) Filing System===<br />
The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]). It is complementing the approach of technological neutrality followed by the GDPR.<br />
<br />
A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> This is already satisfied, when personal data on a particular person is retrievable.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'', C-25/17, Johovan Todistajat, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref><br />
<br />
The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref><br />
<br />
Other examples are:<br />
<br />
* Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Saved letter-correspondence with customers<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Covid-19-Guest-Lists sorted by date<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref><br />
<br />
===(7) Controller===<br />
The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> In this regard, it the controller is to be distinguished from the processor, which is explained in further detail in Article 4(8) GDPR.<br />
<br />
The responsibilities of the controller are defined in [[Article 24 GDPR]]. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR.<br />
<br />
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co controllership’, the entities have to determine their respective responsibilities for the processing within an agreement, according to [[Article 26 GDPR]]. Important, however, is the factual influence on the processing of the personal data,<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> see also Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref><br />
<br />
For example, a joint controllership is assumed between<br />
<br />
* Search-Engines-Operators and the websites of which information is structured, presented and complemented with advertisements within search results<ref>''CJEU'', C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 here]), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.</ref><br />
* Facebook and Administrators of Fan Pages on its social network<ref>''CJEU'', C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available [https://curia.europa.eu/juris/liste.jsf?num=C-210/16 here]), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.</ref><br />
* Facebook and Websites that integrated a ‘Like Button’<ref>''CJEU'', C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-40/17 here]), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.</ref><br />
<br />
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller according to [[Article 26 GDPR]]. For further information see the commentary on that provision.<br />
<br />
===(8) Processor===<br />
The processor is the next entity facing obligations from several provisions across the GDPR, complementing the concept of the controller explained in Article 4(7) GDPR. Any natural, legal person, public authority, agency or body that processes personal data on behalf of the controller qualifies as a processor.<br />
<br />
The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref> Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref><br />
<br />
Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> developed some examples as references for controller-processor relationships:<br />
<br />
* Outsourcing of Callcenters for Customer Communications<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Outsourcing of Mail Services<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Cloud Hosting and Grid Computing<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]) and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).]</ref><br />
* A Separated Entity Specialized in Data Processing within a Group of Companies<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref><br />
<br />
When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of special relevance is [[Article 28 GDPR]], that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on [[Article 28 GDPR|Article 28(3) GDPR]].<br />
<br />
A special form of the processor is the ‘sub processor’ engaged by the processor, which requires another processing agreement and authorisation through the controller. For further information see the commentary on [[Article 28 GDPR|Article 28(2),(4) GDPR]].<br />
<br />
===(9) Recipient===<br />
Another entity defined in the GDPR is the recipient. The notion of the recipient is kept very broadly, i.e. any party which personal data is disclosed to, independently of whether it is a third party or not. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]).</ref><br />
<br />
The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,<ref>More precise, [[Article 13 GDPR|Article 13(1)(e) GDPR]], [[Article 14 GDPR|Article 14(1)(e) GDPR]], [[Article 15 GDPR|Article 15(1)(c) GDPR]].</ref> the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind is, that the controller whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).</ref><br />
<br />
In this regard, it is discussed, whether a processor is also a recipient. One the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.<ref>See Article 4(8) GDPR and Article 4(10) GDPR.</ref> However, the concept of the recipient is completely independent of that of the third-party.<ref>See Article 4(9) GDPR, “whether a third party or not“.</ref> With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, [[Article 28 GDPR]] does not relieve the controller to inform the data subjects about its processors as recipients according to [[Article 13 GDPR|Article 13 to 15 GDPR]].<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).</ref><br />
<br />
Not considered a recipient are, on the other hand, particular units within a company, such as the staff council or dependent establishments of the controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).</ref> The wording of the provision suggests that the entity requires a particular degree of sovereignty in order to count as recipient.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 57 (C.H. Beck 2018) and ''Regenhardt'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 156 (Nomos 2018).</ref> Units that are inseparable part of the internal structure of the controller are therefore not to classify as recipients.<br />
<br />
Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref><br />
<br />
===(10) Third Party===<br />
The concept of a third party complements the previously defined entities. It constitutes a negative delimitation, as any person different from the data subject, controller, processor or any other person authorized to process personal data by the controller. Its notion becomes mainly relevant in terms of evaluating of interests, such as in Article 6 (1)(f) GDPR.<ref>See also [[Article 13 GDPR|Article 13(1)(d) GDPR]], [[Article 14 GDPR|Article 14(2)(b) GDPR]].</ref><br />
<br />
Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).</ref> Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).</ref> Similarly, internal staff of the controller is not a third party, unless the employee uses personal data for own purposes outside of the employment context.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).</ref> In this regard, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).</ref><br />
<br />
===(11) Consent===<br />
Consent is the first legal basis mentioned in Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data. It can be given either by a written, electronic or an oral statement.<ref>Recital 32 sentence 1 GDPR.</ref> Examples are ticking a box or actively choosing technical settings that indicate the data subject’s acceptance of the proposed processing of his or her personal data.<ref>Recital 32 sentence 2 GDPR.</ref><br />
<br />
The notion of consent within the GDPR is different from its constitutional equivalent in [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(2) ECFR]. Consent in the GDPR is neither a waiver of fundamental rights, nor a justification for interferences with fundamental rights.<ref>''Klement'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 7 GDPR, margin number 18 (NOMOS 2019).</ref> Rather, it should be seen as an exception from the general prohibition of processing of personal data under [[Article 6 GDPR|Article 6(1) GDPR]].<br />
<br />
To ensure that consent is not only a legal fiction, it requires additional and cumulative criteria, regulated within its definition and complemented through [[Article 7 GDPR]]. In order for consent to be valid, it has to be freely given, informed, specific and unambiguous. It is the controller’s duty to demonstrate that the data subject has given such consent to the processing of his or her personal data.<ref>[[Article 7 GDPR|Article 7(1) GDPR]], Recital 42 sentence 1 GDPR.</ref><br />
<br />
==== Freely Given ====<br />
Consent is only freely given, where there is no clear imbalance between the data subject and the controller.<ref>Recital 43 sentence 1 GDPR.</ref> Also, it shall not be considered freely given when it is conditional on the processing of personal data that is not necessary for the performance of the service.<ref>Recital 43 sentence 2 GDPR.</ref><br />
<br />
Examples where asymmetries of power and bundled consent usually occur are:<br />
<br />
* Relationships with Public Authorities<ref>Recital 43 sentence 1 GDPR, and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 98 (Carl Heymanns Verlag 2018).</ref><br />
* Employer-Employee-Relationships<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 71 (C.H. Beck 2018).</ref><br />
* Use of Major Digital Services with limited alternatives<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 73, 76 (C.H. Beck 2018).</ref><br />
<br />
==== Informed ====<br />
Consent needs to be provided in an intelligible and easily accessible form, using clear and plain language. Data Subjects must be able to understand the circumstances of processing of their personal data to estimate the consequences and implications of giving their consent.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin numbers 2, 5 (C.H. Beck 2020).</ref> According to recent case-law of the Court of Justice, the information shall also be “digested” by the data subject.<ref>EUCJ, C‑61/19, Orange România, 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/liste.jsf?num=C-61/19&language=en here]).</ref> This seems to give information a more substantive and functional role. Moreover, the information has to be presented in a manner which is clearly distinguishable from other matters, like terms and conditions. For more information, see the commentary on [[Article 7 GDPR|Article 7(2) GDPR]].<br />
<br />
==== Specific ====<br />
In accordance with the principle of transparency from [[Article 5 GDPR|Article 5(1)(b) GDPR]] consent must be provided for specific and legitimate purposes. While consent to the processing of personal data can be given for one or multiple purposes at the same time,<ref>Recital 32 sentences 5, 6 GDPR.</ref> intentions and limitations must be formulated as precisely as possible. A blanket consent to all kinds of purposes is therefore not valid. For more information, see the commentary on [[Article 6 GDPR|Article 6(1)(a) GDPR]].<br />
<br />
==== Unambiguous ====<br />
Consent must be given unambiguously in the form of clear and affirmative action. Silence, pre-ticked boxes or inactivity should not constitute consent.<ref>Recital 32 sentence 3 GDPR.</ref> This has been stressed through recent case law by the Court of Justice in terms of cookies, where a pre-checked checkbox which the user must deselect to refuse his or her consent cannot demonstrate active behaviour.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/1 here]).</ref><br />
<br />
==== Withdrawal ====<br />
Consent can be withdrawn at any time. Withdrawing of consent shall be as easy as it was giving it. The controller has to inform the data subject on the possibility to withdraw consent prior to the processing. For further information, see the commentary on [[Article 7 GDPR|Article 7(3) GDPR]].<br />
<br />
==== Capacity ====<br />
Generally, consent must be given directly by the data subject or a nominated representative.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).</ref> In the case of minors, the ability to consent is based on the individual cognitive faculty of the data subject.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin number 67 (C.H. Beck 2020); ''Ernst'', Die Einwilligung nach der Datenschutzgrundverordnung, in Zeitschrift für Datenschutz, 03/07, (2017), p. 111.</ref> In the online context, [[Article 8 GDPR|Article 8(1) GDPR]] provides a minimum age of 16, while member states may not reduce that age limit to below 13.<br />
<br />
==== Explicit Consent ====<br />
The more qualified form of ‘explicit’ consent is required within several other provisions across the GDPR. For more detailed information, check out the commentary on [[Article 9 GDPR|Article 9(2)(a) GDPR]], [[Article 22 GDPR|Article 22(2)(c) GDPR]] and [[Article 49 GDPR|Article 49(1) GDPR]].<br />
<br />
===(12) Personal Data Breach ===<br />
A ‘personal data breach’ can be considered as any security incident regarding personal data. In this regard, the breach has to concern the processing personal data (for ‘personal data’ see Article 4(1) GDPR, for ‘processing’ Article 4(2) GDPR). Although the transmission and storage of data are explicitly highlighted, any type of processing the concerned data is sufficient.<ref>Wording: “otherwise processed”.</ref><br />
<br />
Moreover, it requires a security breach within that processing. Such are any failures of technical or organizational safeguards implemented by the controller according to [[Article 32 GDPR]]. These failures can either be caused through targeted attacks from other parties or through mishandling of personal data through the controller or persons instructed, such as its employees.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).</ref> Some examples for security breaches are:<br />
<br />
* Hacking-Attacks on systems involving personal data,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Missing access protection to data storages or buildings,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Sending data to unintended recipients,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Employees unlawfully distributing data to third parties,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 180 (Nomos 2018).</ref><br />
* Accidentally publishing or leaking data on website,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
* Loss of physical data carriers,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Destruction of data storing infrastructure,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unrestorable encryption through Ransomware,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unlocked storage of employee files.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
<br />
As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
<br />
The notion of a personal data breach becomes especially relevant in terms of notification and communication obligations for controllers to data subjects and DPAs according to [[Article 33 GDPR|Articles 33, 34 GDPR]]. In this regard, the EDPB can issue guidelines, recommendations and best practices for handling personal data breaches, [[Article 70 GDPR|Article 70(1)(g)(h) GDPR]].<ref>See EDPB, Guidelines 01/2021 on Examples regarding Data Breach Notification, 14 January 2021 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf here]).</ref><br />
<br />
===(13) Genetic Data===<br />
‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions the growth, metabolism, appearance, diseases or alike, both already existent or entering in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin numbers 106, 108 (Carl Heymanns Verlag 2018).</ref> Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analyses.<br />
<br />
The classification as genetic data is becoming relevant in terms of [[Article 9 GDPR|Article 9(1) GDPR]], that only allows its processing under strict requirements.<ref>Additionally, member states may maintain or introduce further conditions and limitations for the processing of genetic data, [[Article 9 GDPR|Article 9(4) GDPR]].</ref> This is due to the sensitive character of such data, that allows a unique identification of the data subject and at the same time reveals personal health data<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017).</ref> on them and biological relatives.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017); ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 182 (Nomos 2018).</ref> Especially in terms of heritage diseases, genetic data therefore carries a high risk of abuse in terms of employment and insurances.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 96 (C.H. Beck 2018).</ref><br />
<br />
===(14) Biometric Data===<br />
‘Biometric data’ means data referring to the physical, physiological and behavioural characteristics of a natural person obtained from specific technical processing allowing for an unique identification. While this generally includes any means to analyse and measure the characteristics of humans<ref>Usually through the creation of referential patterns that are than compared with the data subject later for unique identification, see ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 183 (Nomos 2018).</ref> the technical processing and unique identification requirements place higher burdens.<br />
<br />
The definition itself gives facial images and fingerprints,<ref>Also called 'Dactyloscopic data'.</ref> as examples for biometric data. However, the requirement for specific technical processing, ensures that simple pictures or even passport photographs shall not be considered as such.<ref>Recital 51 GDPR, “''The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person''”.</ref> It is the further processing, for example through the application of facial recognition software, that renders the extracted patterns as biometric data. In this regard, also IRIS Scanners, DNS-Comparisons, voice or gait pattern analyses,<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> as well as typing patterns or even handwritten signatures<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 111 (Carl Heymanns Verlag 2018).</ref> may be considered as biometric data.<br />
<br />
Other data, that does not allow an unique identification, such as the body size or blood type, are not biometric data.<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> However, these could then fall under the definition of ‘health data’ that offers similar protection like for biometric data, according to [[Article 9 GDPR|Article 9(1) GDPR]].<br />
<br />
===(15) Data Concerning Health===<br />
‘Data concerning health’, or simply ‘health data’, means any data related to the physical or mental health of a natural person, especially the procurement of health care services revealing such information. According to Recital 35 GDPR, these include all data referring to the health status of the data subject from the past, current or future. In this regard, any information on diseases, risks, disabilities, their treatment and medical histories of a particular natural person explicitly qualify as health data.<ref>Recital 35 sentence 2 GDPR.</ref><br />
<br />
Other examples for health data are information about:<br />
<br />
* Addictions to alcohol, drugs or medications as well as the participation in self-help groups<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
* Hospitalizations, sick notes and sick payments<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
* Information the physical or mental invalidity to work<ref>''Petri'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 15 GDPR, margin number 5 (NOMOS 2019).</ref><br />
* Data from health- or fitness apps on eating or movement patterns, for example from wearables and smartphones<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 118 (Carl Heymanns Verlag 2018).</ref><br />
<br />
The notion of health data is therefore broader than ‘medicinal data’.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 59 (Deutscher Fachverlag 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018).</ref> Furthermore, it strongly overlaps with the notions of genetic and biometric data.<ref>See Recital 35, “''Personal data concerning health should include […] information derived from the testing or examination of one’s body, substances, such as genetic and biological samples''”.</ref> in order to allow a seamless high protection within the scope of [[Article 9 GDPR]].<ref>However, in some cases (e.g. the public health sector) sensitive data can be necessary to be processed without the data subjects consent, see Recital 54 GDPR.</ref> For further information, check the commentary on [[Article 9 GDPR]].<br />
<br />
===(16) Main Establishment===<br />
If a controller or a processor have establishments in more than one member states, identifying its ‘main establishment’ is the first step to recognize the lead supervisory authority in a cross-border procedure.<br />
<br />
It is the role of a data protection authorities to properly define the main establishment of an entity according to objective criteria and subsequently determine the corresponding lead authority.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> The burden of proof falls on controllers and processors to demonstrate to the relevant supervisory authorities where the relevant processing decisions are taken and implemented. In this regard, however, the WP29 stressed that the GDPR does not permit ‘forum shopping’ and conclusions cannot be based solely on statements by the organisation under review. The supervisory authorities can rebut the controller’s analysis based on an objective examination of the relevant facts, requesting further information where required.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
==== Main Establishment of a Controller ====<br />
As a general rule, the main establishment of a controller should be the place of its central administration in the Union, or in other words, “''the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented''”.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 5 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> <br />
<br />
Recital 22 GDPR defines an establishment as ‘the effective and real exercise of activity through stable arrangements’. The legal form of such arrangements is irrelevant. According to the CJEU, an establishment depends on “''both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned.''”<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 29 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref> In this regard, already the presence of a single representative can constitute a stable arrangement when acting with a sufficient degree of stability and the necessary equipment to provide the specific services in the member states concerned.<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 30 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref><br />
<br />
If a controller’s main establishment is not the place of its central administration in the EU, it is necessary to determine the establishment based on where the effective and real exercise of main decisions on the purposes and means of processing take place.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 6 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> It should depend neither on the place of the processing nor the use of technical means and technologies for processing personal data or processing activities. Instead, to determine the controller’s main establishment the WP29 developed several guiding questions:<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
* Where are decisions about the purposes and means of the finally signed off’?<br />
* Where are decisions about business activities that involve data processing made?<br />
* Where does the power to have decisions implemented effectively lie?<br />
* Where is the Director with responsibility for cross border processing located?<br />
* Where is the controller or processor registered as a company?<br />
<br />
A supervisory authority may require from a controller to present additional information proving that its main establishment fulfils criteria envisaged in the GDPR.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
==== Main Establishment of a Processor ====<br />
Similarly to the rules for controllers, the main establishment of a processor located in multiple member states shall also be the place of its central administration. <br />
<br />
However, when there is no central administration in the Union, the rules applying to processors are formulated differently. In such cases, the main establishment of a processor is where the main processing activities take place in a Union’s establishment subject to the obligations under GDPR. This implies that the processing of personal data does not need to be carried out by the relevant establishment itself but only in in the context of its activities within the scope of the GDPR.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 235 (Oxford University Press 2020).</ref> The meaning of ‘the context of activities’ has already been specified by the CJEU, building on a broad definition of ‘establishment’ and clarifying that already the intention of a member state’s establishment to provide advertisement space for a third country undertaking is processing of personal data in the context of the Union’s establishment.<ref>CJEU, C-131/12, Google Spain, 13 May 2014, margin number 55 (available [https://curia.europa.eu/juris/liste.jsf?num=c-131/12 here]).</ref><br />
<br />
Following up on the CJEU judgement, the WP29 specified that EU law may apply to data processing activities of controllers or processors established outside the EU “''even if the local establishment is not actually taking any role in the data processing itself''”.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref> This reasoning can be based on an “''inextricable link''” between activities of an establishment in the EU and data processing by a non-EU controller or processor.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref><br />
<br />
==== '''Cases Involving Both the Controller and the Processor''' ====<br />
Recital 36 GDPR explains that “''in cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment''”. For further information determining the lead and concerned supervisory authorities in cross border contexts see the commentary on [[Article 56 GDPR]] and Article 4(22)-(23) GDPR.<br />
<br />
===(17) Representative===<br />
Representative are any legal or natural persons established in the union designated by a controller or processor, in accordance with [[Article 27 GDPR]]. They are not to be confused with the executive organ of the controller, but they serve as contact persons for data subjects and DPAs towards controllers and processors that are only outside the Union.<br />
<br />
In this regard, the notion of a representative becomes relevant in terms actors that are falling within the territorial scope of the GDPR without having any establishment within the union (see [[Article 3 GDPR|Article 3(2) GDPR]] and Recital 80 GDPR).<ref>According to which the GDPR applies to controllers outside the union processing personal data on subjects within the union ''“related to the offering of goods or services“'' or ''“the monitoring of their behaviour”''.</ref> In such cases, the representative becomes the addressee of enforcement proceedings in the event of non-compliance of the respective controller or processor.<ref>Recital 80 sentence 6 GDPR.</ref> This way, the representative prevents such actors only established in a third country, to become “infeasible” for data subjects and DPA’s within the union. Examples for representatives may therefore be designated employees, lawyers or whole firms established within the union.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 106 (C.H. Beck 2018).</ref><br />
<br />
The designation shall happen in a written form, containing the a mandate to represent the controller or processor under the obligations from the GDPR.<ref>Recital 80 sentences 3, 4 GDPR.</ref> At the same time. the designation of a representative does not exclude the responsibility or liability of the controller or processor themselves.<ref>Recital 80 sentence 5 GDPR.</ref> However, it remains unclear how entities not providing a representative may be tackled by the GDPR.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 204 (Nomos 2018).</ref> In this regard, especially public authorities are excluded from the designation of a representative.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 52 (C.H. Beck 2017).</ref><br />
<br />
===(18) Enterprise===<br />
You can help us fill this section!<br />
===(19) Group of undertakings===<br />
You can help us fill this section!<br />
===(20) Binding corporate rules===<br />
You can help us fill this section!<br />
===(21) Supervisory authority===<br />
You can help us fill this section!<br />
===(22) Supervisory authority concerned===<br />
You can help us fill this section!<br />
===(23) Cross-border processing===<br />
You can help us fill this section!<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20034Article 4 GDPR2021-09-23T13:33:04Z<p>JS: Uploading Article 4(26) GDPR</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
* '''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).</ref><br />
* '''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
* '''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
* '''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
* '''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
* '''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
* '''Alteration''' (changes to the form or content of data), such as corrections, pseudonymisation or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
* '''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
* '''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
* '''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
* '''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company. <br />
* '''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
* '''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
* '''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
* '''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
* '''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
* '''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
* '''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> <br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of Processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref><br />
<br />
Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.<ref>Recital 30 sentence 1 GDPR.</ref> as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore<br />
<br />
* Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref><br />
* Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref><br />
* Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref><br />
<br />
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR, such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref><br />
<br />
===(5) Pseudonymisation===<br />
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.<br />
<br />
Examples for the pseudonymisation of personal data include:<br />
<br />
* Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref><br />
* Encryption or hashing of data<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref><br />
* Pixelation of video materials<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref> <br />
<br />
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> And while some scholars argue for a ‘subjective anonymisation’,<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).</ref> the party undertaking the pseudonymisation is typically able to reassign the data subject.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).</ref><br />
<br />
In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref><br />
<br />
* Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]])<br />
* Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]])<br />
* Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]])<br />
* Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]])<br />
* Implementing Data Protection by Design and Default ([[Article 25 GDPR]])<br />
<br />
===(6) Filing System===<br />
The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]). It is complementing the approach of technological neutrality followed by the GDPR.<br />
<br />
A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> This is already satisfied, when personal data on a particular person is retrievable.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'', C-25/17, Johovan Todistajat, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref><br />
<br />
The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref><br />
<br />
Other examples are:<br />
<br />
* Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Saved letter-correspondence with customers<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Covid-19-Guest-Lists sorted by date<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref><br />
<br />
===(7) Controller===<br />
The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> In this regard, it the controller is to be distinguished from the processor, which is explained in further detail in Article 4(8) GDPR.<br />
<br />
The responsibilities of the controller are defined in [[Article 24 GDPR]]. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR.<br />
<br />
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co controllership’, the entities have to determine their respective responsibilities for the processing within an agreement, according to [[Article 26 GDPR]]. Important, however, is the factual influence on the processing of the personal data,<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> see also Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref><br />
<br />
For example, a joint controllership is assumed between<br />
<br />
* Search-Engines-Operators and the websites of which information is structured, presented and complemented with advertisements within search results<ref>''CJEU'', C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 here]), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.</ref><br />
* Facebook and Administrators of Fan Pages on its social network<ref>''CJEU'', C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available [https://curia.europa.eu/juris/liste.jsf?num=C-210/16 here]), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.</ref><br />
* Facebook and Websites that integrated a ‘Like Button’<ref>''CJEU'', C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-40/17 here]), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.</ref><br />
<br />
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller according to [[Article 26 GDPR]]. For further information see the commentary on that provision.<br />
<br />
===(8) Processor===<br />
The processor is the next entity facing obligations from several provisions across the GDPR, complementing the concept of the controller explained in Article 4(7) GDPR. Any natural, legal person, public authority, agency or body that processes personal data on behalf of the controller qualifies as a processor.<br />
<br />
The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref> Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref><br />
<br />
Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> developed some examples as references for controller-processor relationships:<br />
<br />
* Outsourcing of Callcenters for Customer Communications<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Outsourcing of Mail Services<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Cloud Hosting and Grid Computing<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]) and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).]</ref><br />
* A Separated Entity Specialized in Data Processing within a Group of Companies<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref><br />
<br />
When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of special relevance is [[Article 28 GDPR]], that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on [[Article 28 GDPR|Article 28(3) GDPR]].<br />
<br />
A special form of the processor is the ‘sub processor’ engaged by the processor, which requires another processing agreement and authorisation through the controller. For further information see the commentary on [[Article 28 GDPR|Article 28(2),(4) GDPR]].<br />
<br />
===(9) Recipient===<br />
Another entity defined in the GDPR is the recipient. The notion of the recipient is kept very broadly, i.e. any party which personal data is disclosed to, independently of whether it is a third party or not. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]).</ref><br />
<br />
The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,<ref>More precise, [[Article 13 GDPR|Article 13(1)(e) GDPR]], [[Article 14 GDPR|Article 14(1)(e) GDPR]], [[Article 15 GDPR|Article 15(1)(c) GDPR]].</ref> the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind is, that the controller whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).</ref><br />
<br />
In this regard, it is discussed, whether a processor is also a recipient. One the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.<ref>See Article 4(8) GDPR and Article 4(10) GDPR.</ref> However, the concept of the recipient is completely independent of that of the third-party.<ref>See Article 4(9) GDPR, “whether a third party or not“.</ref> With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, [[Article 28 GDPR]] does not relieve the controller to inform the data subjects about its processors as recipients according to [[Article 13 GDPR|Article 13 to 15 GDPR]].<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).</ref><br />
<br />
Not considered a recipient are, on the other hand, particular units within a company, such as the staff council or dependent establishments of the controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).</ref> The wording of the provision suggests that the entity requires a particular degree of sovereignty in order to count as recipient.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 57 (C.H. Beck 2018) and ''Regenhardt'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 156 (Nomos 2018).</ref> Units that are inseparable part of the internal structure of the controller are therefore not to classify as recipients.<br />
<br />
Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref><br />
<br />
===(10) Third Party===<br />
The concept of a third party complements the previously defined entities. It constitutes a negative delimitation, as any person different from the data subject, controller, processor or any other person authorized to process personal data by the controller. Its notion becomes mainly relevant in terms of evaluating of interests, such as in Article 6 (1)(f) GDPR.<ref>See also [[Article 13 GDPR|Article 13(1)(d) GDPR]], [[Article 14 GDPR|Article 14(2)(b) GDPR]].</ref><br />
<br />
Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).</ref> Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).</ref> Similarly, internal staff of the controller is not a third party, unless the employee uses personal data for own purposes outside of the employment context.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).</ref> In this regard, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).</ref><br />
<br />
===(11) Consent===<br />
Consent is the first legal basis mentioned in Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data. It can be given either by a written, electronic or an oral statement.<ref>Recital 32 sentence 1 GDPR.</ref> Examples are ticking a box or actively choosing technical settings that indicate the data subject’s acceptance of the proposed processing of his or her personal data.<ref>Recital 32 sentence 2 GDPR.</ref><br />
<br />
The notion of consent within the GDPR is different from its constitutional equivalent in [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(2) ECFR]. Consent in the GDPR is neither a waiver of fundamental rights, nor a justification for interferences with fundamental rights.<ref>''Klement'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 7 GDPR, margin number 18 (NOMOS 2019).</ref> Rather, it should be seen as an exception from the general prohibition of processing of personal data under [[Article 6 GDPR|Article 6(1) GDPR]].<br />
<br />
To ensure that consent is not only a legal fiction, it requires additional and cumulative criteria, regulated within its definition and complemented through [[Article 7 GDPR]]. In order for consent to be valid, it has to be freely given, informed, specific and unambiguous. It is the controller’s duty to demonstrate that the data subject has given such consent to the processing of his or her personal data.<ref>[[Article 7 GDPR|Article 7(1) GDPR]], Recital 42 sentence 1 GDPR.</ref><br />
<br />
==== Freely Given ====<br />
Consent is only freely given, where there is no clear imbalance between the data subject and the controller.<ref>Recital 43 sentence 1 GDPR.</ref> Also, it shall not be considered freely given when it is conditional on the processing of personal data that is not necessary for the performance of the service.<ref>Recital 43 sentence 2 GDPR.</ref><br />
<br />
Examples where asymmetries of power and bundled consent usually occur are:<br />
<br />
* Relationships with Public Authorities<ref>Recital 43 sentence 1 GDPR, and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 98 (Carl Heymanns Verlag 2018).</ref><br />
* Employer-Employee-Relationships<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 71 (C.H. Beck 2018).</ref><br />
* Use of Major Digital Services with limited alternatives<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 73, 76 (C.H. Beck 2018).</ref><br />
<br />
==== Informed ====<br />
Consent needs to be provided in an intelligible and easily accessible form, using clear and plain language. Data Subjects must be able to understand the circumstances of processing of their personal data to estimate the consequences and implications of giving their consent.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin numbers 2, 5 (C.H. Beck 2020).</ref> According to recent case-law of the Court of Justice, the information shall also be “digested” by the data subject.<ref>EUCJ, C‑61/19, Orange România, 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/liste.jsf?num=C-61/19&language=en here]).</ref> This seems to give information a more substantive and functional role. Moreover, the information has to be presented in a manner which is clearly distinguishable from other matters, like terms and conditions. For more information, see the commentary on [[Article 7 GDPR|Article 7(2) GDPR]].<br />
<br />
==== Specific ====<br />
In accordance with the principle of transparency from [[Article 5 GDPR|Article 5(1)(b) GDPR]] consent must be provided for specific and legitimate purposes. While consent to the processing of personal data can be given for one or multiple purposes at the same time,<ref>Recital 32 sentences 5, 6 GDPR.</ref> intentions and limitations must be formulated as precisely as possible. A blanket consent to all kinds of purposes is therefore not valid. For more information, see the commentary on [[Article 6 GDPR|Article 6(1)(a) GDPR]].<br />
<br />
==== Unambiguous ====<br />
Consent must be given unambiguously in the form of clear and affirmative action. Silence, pre-ticked boxes or inactivity should not constitute consent.<ref>Recital 32 sentence 3 GDPR.</ref> This has been stressed through recent case law by the Court of Justice in terms of cookies, where a pre-checked checkbox which the user must deselect to refuse his or her consent cannot demonstrate active behaviour.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/1 here]).</ref><br />
<br />
==== Withdrawal ====<br />
Consent can be withdrawn at any time. Withdrawing of consent shall be as easy as it was giving it. The controller has to inform the data subject on the possibility to withdraw consent prior to the processing. For further information, see the commentary on [[Article 7 GDPR|Article 7(3) GDPR]].<br />
<br />
==== Capacity ====<br />
Generally, consent must be given directly by the data subject or a nominated representative.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).</ref> In the case of minors, the ability to consent is based on the individual cognitive faculty of the data subject.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin number 67 (C.H. Beck 2020); ''Ernst'', Die Einwilligung nach der Datenschutzgrundverordnung, in Zeitschrift für Datenschutz, 03/07, (2017), p. 111.</ref> In the online context, [[Article 8 GDPR|Article 8(1) GDPR]] provides a minimum age of 16, while member states may not reduce that age limit to below 13.<br />
<br />
==== Explicit Consent ====<br />
The more qualified form of ‘explicit’ consent is required within several other provisions across the GDPR. For more detailed information, check out the commentary on [[Article 9 GDPR|Article 9(2)(a) GDPR]], [[Article 22 GDPR|Article 22(2)(c) GDPR]] and [[Article 49 GDPR|Article 49(1) GDPR]].<br />
<br />
===(12) Personal Data Breach ===<br />
A ‘personal data breach’ can be considered as any security incident regarding personal data. In this regard, the breach has to concern the processing personal data (for ‘personal data’ see Article 4(1) GDPR, for ‘processing’ Article 4(2) GDPR). Although the transmission and storage of data are explicitly highlighted, any type of processing the concerned data is sufficient.<ref>Wording: “otherwise processed”.</ref><br />
<br />
Moreover, it requires a security breach within that processing. Such are any failures of technical or organizational safeguards implemented by the controller according to [[Article 32 GDPR]]. These failures can either be caused through targeted attacks from other parties or through mishandling of personal data through the controller or persons instructed, such as its employees.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).</ref> Some examples for security breaches are:<br />
<br />
* Hacking-Attacks on systems involving personal data,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Missing access protection to data storages or buildings,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Sending data to unintended recipients,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Employees unlawfully distributing data to third parties,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 180 (Nomos 2018).</ref><br />
* Accidentally publishing or leaking data on website,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
* Loss of physical data carriers,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Destruction of data storing infrastructure,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unrestorable encryption through Ransomware,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unlocked storage of employee files.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
<br />
As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
<br />
The notion of a personal data breach becomes especially relevant in terms of notification and communication obligations for controllers to data subjects and DPAs according to [[Article 33 GDPR|Articles 33, 34 GDPR]]. In this regard, the EDPB can issue guidelines, recommendations and best practices for handling personal data breaches, [[Article 70 GDPR|Article 70(1)(g)(h) GDPR]].<ref>See EDPB, Guidelines 01/2021 on Examples regarding Data Breach Notification, 14 January 2021 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf here]).</ref><br />
<br />
===(13) Genetic Data===<br />
‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions the growth, metabolism, appearance, diseases or alike, both already existent or entering in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin numbers 106, 108 (Carl Heymanns Verlag 2018).</ref> Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analyses.<br />
<br />
The classification as genetic data is becoming relevant in terms of [[Article 9 GDPR|Article 9(1) GDPR]], that only allows its processing under strict requirements.<ref>Additionally, member states may maintain or introduce further conditions and limitations for the processing of genetic data, [[Article 9 GDPR|Article 9(4) GDPR]].</ref> This is due to the sensitive character of such data, that allows a unique identification of the data subject and at the same time reveals personal health data<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017).</ref> on them and biological relatives.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017); ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 182 (Nomos 2018).</ref> Especially in terms of heritage diseases, genetic data therefore carries a high risk of abuse in terms of employment and insurances.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 96 (C.H. Beck 2018).</ref><br />
<br />
===(14) Biometric Data===<br />
‘Biometric data’ means data referring to the physical, physiological and behavioural characteristics of a natural person obtained from specific technical processing allowing for an unique identification. While this generally includes any means to analyse and measure the characteristics of humans<ref>Usually through the creation of referential patterns that are than compared with the data subject later for unique identification, see ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 183 (Nomos 2018).</ref> the technical processing and unique identification requirements place higher burdens.<br />
<br />
The definition itself gives facial images and fingerprints,<ref>Also called 'Dactyloscopic data'.</ref> as examples for biometric data. However, the requirement for specific technical processing, ensures that simple pictures or even passport photographs shall not be considered as such.<ref>Recital 51 GDPR, “''The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person''”.</ref> It is the further processing, for example through the application of facial recognition software, that renders the extracted patterns as biometric data. In this regard, also IRIS Scanners, DNS-Comparisons, voice or gait pattern analyses,<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> as well as typing patterns or even handwritten signatures<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 111 (Carl Heymanns Verlag 2018).</ref> may be considered as biometric data.<br />
<br />
Other data, that does not allow an unique identification, such as the body size or blood type, are not biometric data.<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> However, these could then fall under the definition of ‘health data’ that offers similar protection like for biometric data, according to [[Article 9 GDPR|Article 9(1) GDPR]].<br />
<br />
===(15) Data Concerning Health===<br />
‘Data concerning health’, or simply ‘health data’, means any data related to the physical or mental health of a natural person, especially the procurement of health care services revealing such information. According to Recital 35 GDPR, these include all data referring to the health status of the data subject from the past, current or future. In this regard, any information on diseases, risks, disabilities, their treatment and medical histories of a particular natural person explicitly qualify as health data.<ref>Recital 35 sentence 2 GDPR.</ref><br />
<br />
Other examples for health data are information about:<br />
<br />
* Addictions to alcohol, drugs or medications as well as the participation in self-help groups<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
* Hospitalizations, sick notes and sick payments<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
* Information the physical or mental invalidity to work<ref>''Petri'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 15 GDPR, margin number 5 (NOMOS 2019).</ref><br />
* Data from health- or fitness apps on eating or movement patterns, for example from wearables and smartphones<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 118 (Carl Heymanns Verlag 2018).</ref><br />
<br />
The notion of health data is therefore broader than ‘medicinal data’.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 59 (Deutscher Fachverlag 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018).</ref> Furthermore, it strongly overlaps with the notions of genetic and biometric data.<ref>See Recital 35, “''Personal data concerning health should include […] information derived from the testing or examination of one’s body, substances, such as genetic and biological samples''”.</ref> in order to allow a seamless high protection within the scope of [[Article 9 GDPR]].<ref>However, in some cases (e.g. the public health sector) sensitive data can be necessary to be processed without the data subjects consent, see Recital 54 GDPR.</ref> For further information, check the commentary on [[Article 9 GDPR]].<br />
<br />
===(16) Main Establishment===<br />
If a controller or a processor have establishments in more than one member states, identifying its ‘main establishment’ is the first step to recognize the lead supervisory authority in a cross-border procedure.<br />
<br />
It is the role of a data protection authorities to properly define the main establishment of an entity according to objective criteria and subsequently determine the corresponding lead authority.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> The burden of proof falls on controllers and processors to demonstrate to the relevant supervisory authorities where the relevant processing decisions are taken and implemented. In this regard, however, the WP29 stressed that the GDPR does not permit ‘forum shopping’ and conclusions cannot be based solely on statements by the organisation under review. The supervisory authorities can rebut the controller’s analysis based on an objective examination of the relevant facts, requesting further information where required.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
==== Main Establishment of a Controller ====<br />
As a general rule, the main establishment of a controller should be the place of its central administration in the Union, or in other words, “''the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented''”.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 5 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> <br />
<br />
Recital 22 GDPR defines an establishment as ‘the effective and real exercise of activity through stable arrangements’. The legal form of such arrangements is irrelevant. According to the CJEU, an establishment depends on “''both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned.''”<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 29 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref> In this regard, already the presence of a single representative can constitute a stable arrangement when acting with a sufficient degree of stability and the necessary equipment to provide the specific services in the member states concerned.<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 30 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref><br />
<br />
If a controller’s main establishment is not the place of its central administration in the EU, it is necessary to determine the establishment based on where the effective and real exercise of main decisions on the purposes and means of processing take place.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 6 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> It should depend neither on the place of the processing nor the use of technical means and technologies for processing personal data or processing activities. Instead, to determine the controller’s main establishment the WP29 developed several guiding questions:<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
* Where are decisions about the purposes and means of the finally signed off’?<br />
* Where are decisions about business activities that involve data processing made?<br />
* Where does the power to have decisions implemented effectively lie?<br />
* Where is the Director with responsibility for cross border processing located?<br />
* Where is the controller or processor registered as a company?<br />
<br />
A supervisory authority may require from a controller to present additional information proving that its main establishment fulfils criteria envisaged in the GDPR.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref><br />
<br />
==== Main Establishment of a Processor ====<br />
Similarly to the rules for controllers, the main establishment of a processor located in multiple member states shall also be the place of its central administration. <br />
<br />
However, when there is no central administration in the Union, the rules applying to processors are formulated differently. In such cases, the main establishment of a processor is where the main processing activities take place in a Union’s establishment subject to the obligations under GDPR. This implies that the processing of personal data does not need to be carried out by the relevant establishment itself but only in in the context of its activities within the scope of the GDPR.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 235 (Oxford University Press 2020).</ref> The meaning of ‘the context of activities’ has already been specified by the CJEU, building on a broad definition of ‘establishment’ and clarifying that already the intention of a member state’s establishment to provide advertisement space for a third country undertaking is processing of personal data in the context of the Union’s establishment.<ref>CJEU, C-131/12, Google Spain, 13 May 2014, margin number 55 (available [https://curia.europa.eu/juris/liste.jsf?num=c-131/12 here]).</ref><br />
<br />
Following up on the CJEU judgement, the WP29 specified that EU law may apply to data processing activities of controllers or processors established outside the EU “''even if the local establishment is not actually taking any role in the data processing itself''”.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref> This reasoning can be based on an “''inextricable link''” between activities of an establishment in the EU and data processing by a non-EU controller or processor.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref><br />
<br />
==== '''Cases Involving Both the Controller and the Processor''' ====<br />
Recital 36 GDPR explains that “''in cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment''”. For further information determining the lead and concerned supervisory authorities in cross border contexts see the commentary on [[Article 56 GDPR]] and Article 4(22)-(23) GDPR.<br />
<br />
===(17) Representative===<br />
You can help us fill this section!<br />
===(18) Enterprise===<br />
You can help us fill this section!<br />
===(19) Group of undertakings===<br />
You can help us fill this section!<br />
===(20) Binding corporate rules===<br />
You can help us fill this section!<br />
===(21) Supervisory authority===<br />
You can help us fill this section!<br />
===(22) Supervisory authority concerned===<br />
You can help us fill this section!<br />
===(23) Cross-border processing===<br />
You can help us fill this section!<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20033Article 4 GDPR2021-09-23T13:05:18Z<p>JS: Uploading Article 4(15) GDPR</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
* '''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).</ref><br />
* '''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
* '''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
* '''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
* '''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
* '''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
* '''Alteration''' (changes to the form or content of data), such as corrections, pseudonymisation or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
* '''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
* '''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
* '''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
* '''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company. <br />
* '''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
* '''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
* '''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
* '''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
* '''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
* '''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
* '''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> <br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of Processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref><br />
<br />
Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.<ref>Recital 30 sentence 1 GDPR.</ref> as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore<br />
<br />
* Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref><br />
* Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref><br />
* Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref><br />
<br />
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR, such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref><br />
<br />
===(5) Pseudonymisation===<br />
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.<br />
<br />
Examples for the pseudonymisation of personal data include:<br />
<br />
* Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref><br />
* Encryption or hashing of data<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref><br />
* Pixelation of video materials<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref> <br />
<br />
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> And while some scholars argue for a ‘subjective anonymisation’,<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).</ref> the party undertaking the pseudonymisation is typically able to reassign the data subject.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).</ref><br />
<br />
In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref><br />
<br />
* Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]])<br />
* Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]])<br />
* Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]])<br />
* Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]])<br />
* Implementing Data Protection by Design and Default ([[Article 25 GDPR]])<br />
<br />
===(6) Filing System===<br />
The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]). It is complementing the approach of technological neutrality followed by the GDPR.<br />
<br />
A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> This is already satisfied, when personal data on a particular person is retrievable.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'', C-25/17, Johovan Todistajat, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref><br />
<br />
The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref><br />
<br />
Other examples are:<br />
<br />
* Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Saved letter-correspondence with customers<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Covid-19-Guest-Lists sorted by date<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref><br />
<br />
===(7) Controller===<br />
The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> In this regard, it the controller is to be distinguished from the processor, which is explained in further detail in Article 4(8) GDPR.<br />
<br />
The responsibilities of the controller are defined in [[Article 24 GDPR]]. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR.<br />
<br />
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co controllership’, the entities have to determine their respective responsibilities for the processing within an agreement, according to [[Article 26 GDPR]]. Important, however, is the factual influence on the processing of the personal data,<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> see also Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref><br />
<br />
For example, a joint controllership is assumed between<br />
<br />
* Search-Engines-Operators and the websites of which information is structured, presented and complemented with advertisements within search results<ref>''CJEU'', C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 here]), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.</ref><br />
* Facebook and Administrators of Fan Pages on its social network<ref>''CJEU'', C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available [https://curia.europa.eu/juris/liste.jsf?num=C-210/16 here]), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.</ref><br />
* Facebook and Websites that integrated a ‘Like Button’<ref>''CJEU'', C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-40/17 here]), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.</ref><br />
<br />
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller according to [[Article 26 GDPR]]. For further information see the commentary on that provision.<br />
<br />
===(8) Processor===<br />
The processor is the next entity facing obligations from several provisions across the GDPR, complementing the concept of the controller explained in Article 4(7) GDPR. Any natural, legal person, public authority, agency or body that processes personal data on behalf of the controller qualifies as a processor.<br />
<br />
The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref> Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref><br />
<br />
Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> developed some examples as references for controller-processor relationships:<br />
<br />
* Outsourcing of Callcenters for Customer Communications<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Outsourcing of Mail Services<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Cloud Hosting and Grid Computing<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]) and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).]</ref><br />
* A Separated Entity Specialized in Data Processing within a Group of Companies<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref><br />
<br />
When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of special relevance is [[Article 28 GDPR]], that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on [[Article 28 GDPR|Article 28(3) GDPR]].<br />
<br />
A special form of the processor is the ‘sub processor’ engaged by the processor, which requires another processing agreement and authorisation through the controller. For further information see the commentary on [[Article 28 GDPR|Article 28(2),(4) GDPR]].<br />
<br />
===(9) Recipient===<br />
Another entity defined in the GDPR is the recipient. The notion of the recipient is kept very broadly, i.e. any party which personal data is disclosed to, independently of whether it is a third party or not. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]).</ref><br />
<br />
The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,<ref>More precise, [[Article 13 GDPR|Article 13(1)(e) GDPR]], [[Article 14 GDPR|Article 14(1)(e) GDPR]], [[Article 15 GDPR|Article 15(1)(c) GDPR]].</ref> the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind is, that the controller whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).</ref><br />
<br />
In this regard, it is discussed, whether a processor is also a recipient. One the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.<ref>See Article 4(8) GDPR and Article 4(10) GDPR.</ref> However, the concept of the recipient is completely independent of that of the third-party.<ref>See Article 4(9) GDPR, “whether a third party or not“.</ref> With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, [[Article 28 GDPR]] does not relieve the controller to inform the data subjects about its processors as recipients according to [[Article 13 GDPR|Article 13 to 15 GDPR]].<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).</ref><br />
<br />
Not considered a recipient are, on the other hand, particular units within a company, such as the staff council or dependent establishments of the controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).</ref> The wording of the provision suggests that the entity requires a particular degree of sovereignty in order to count as recipient.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 57 (C.H. Beck 2018) and ''Regenhardt'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 156 (Nomos 2018).</ref> Units that are inseparable part of the internal structure of the controller are therefore not to classify as recipients.<br />
<br />
Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref><br />
<br />
===(10) Third Party===<br />
The concept of a third party complements the previously defined entities. It constitutes a negative delimitation, as any person different from the data subject, controller, processor or any other person authorized to process personal data by the controller. Its notion becomes mainly relevant in terms of evaluating of interests, such as in Article 6 (1)(f) GDPR.<ref>See also [[Article 13 GDPR|Article 13(1)(d) GDPR]], [[Article 14 GDPR|Article 14(2)(b) GDPR]].</ref><br />
<br />
Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).</ref> Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).</ref> Similarly, internal staff of the controller is not a third party, unless the employee uses personal data for own purposes outside of the employment context.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).</ref> In this regard, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).</ref><br />
<br />
===(11) Consent===<br />
Consent is the first legal basis mentioned in Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data. It can be given either by a written, electronic or an oral statement.<ref>Recital 32 sentence 1 GDPR.</ref> Examples are ticking a box or actively choosing technical settings that indicate the data subject’s acceptance of the proposed processing of his or her personal data.<ref>Recital 32 sentence 2 GDPR.</ref><br />
<br />
The notion of consent within the GDPR is different from its constitutional equivalent in [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(2) ECFR]. Consent in the GDPR is neither a waiver of fundamental rights, nor a justification for interferences with fundamental rights.<ref>''Klement'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 7 GDPR, margin number 18 (NOMOS 2019).</ref> Rather, it should be seen as an exception from the general prohibition of processing of personal data under [[Article 6 GDPR|Article 6(1) GDPR]].<br />
<br />
To ensure that consent is not only a legal fiction, it requires additional and cumulative criteria, regulated within its definition and complemented through [[Article 7 GDPR]]. In order for consent to be valid, it has to be freely given, informed, specific and unambiguous. It is the controller’s duty to demonstrate that the data subject has given such consent to the processing of his or her personal data.<ref>[[Article 7 GDPR|Article 7(1) GDPR]], Recital 42 sentence 1 GDPR.</ref><br />
<br />
==== Freely Given ====<br />
Consent is only freely given, where there is no clear imbalance between the data subject and the controller.<ref>Recital 43 sentence 1 GDPR.</ref> Also, it shall not be considered freely given when it is conditional on the processing of personal data that is not necessary for the performance of the service.<ref>Recital 43 sentence 2 GDPR.</ref><br />
<br />
Examples where asymmetries of power and bundled consent usually occur are:<br />
<br />
* Relationships with Public Authorities<ref>Recital 43 sentence 1 GDPR, and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 98 (Carl Heymanns Verlag 2018).</ref><br />
* Employer-Employee-Relationships<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 71 (C.H. Beck 2018).</ref><br />
* Use of Major Digital Services with limited alternatives<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 73, 76 (C.H. Beck 2018).</ref><br />
<br />
==== Informed ====<br />
Consent needs to be provided in an intelligible and easily accessible form, using clear and plain language. Data Subjects must be able to understand the circumstances of processing of their personal data to estimate the consequences and implications of giving their consent.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin numbers 2, 5 (C.H. Beck 2020).</ref> According to recent case-law of the Court of Justice, the information shall also be “digested” by the data subject.<ref>EUCJ, C‑61/19, Orange România, 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/liste.jsf?num=C-61/19&language=en here]).</ref> This seems to give information a more substantive and functional role. Moreover, the information has to be presented in a manner which is clearly distinguishable from other matters, like terms and conditions. For more information, see the commentary on [[Article 7 GDPR|Article 7(2) GDPR]].<br />
<br />
==== Specific ====<br />
In accordance with the principle of transparency from [[Article 5 GDPR|Article 5(1)(b) GDPR]] consent must be provided for specific and legitimate purposes. While consent to the processing of personal data can be given for one or multiple purposes at the same time,<ref>Recital 32 sentences 5, 6 GDPR.</ref> intentions and limitations must be formulated as precisely as possible. A blanket consent to all kinds of purposes is therefore not valid. For more information, see the commentary on [[Article 6 GDPR|Article 6(1)(a) GDPR]].<br />
<br />
==== Unambiguous ====<br />
Consent must be given unambiguously in the form of clear and affirmative action. Silence, pre-ticked boxes or inactivity should not constitute consent.<ref>Recital 32 sentence 3 GDPR.</ref> This has been stressed through recent case law by the Court of Justice in terms of cookies, where a pre-checked checkbox which the user must deselect to refuse his or her consent cannot demonstrate active behaviour.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/1 here]).</ref><br />
<br />
==== Withdrawal ====<br />
Consent can be withdrawn at any time. Withdrawing of consent shall be as easy as it was giving it. The controller has to inform the data subject on the possibility to withdraw consent prior to the processing. For further information, see the commentary on [[Article 7 GDPR|Article 7(3) GDPR]].<br />
<br />
==== Capacity ====<br />
Generally, consent must be given directly by the data subject or a nominated representative.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).</ref> In the case of minors, the ability to consent is based on the individual cognitive faculty of the data subject.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin number 67 (C.H. Beck 2020); ''Ernst'', Die Einwilligung nach der Datenschutzgrundverordnung, in Zeitschrift für Datenschutz, 03/07, (2017), p. 111.</ref> In the online context, [[Article 8 GDPR|Article 8(1) GDPR]] provides a minimum age of 16, while member states may not reduce that age limit to below 13.<br />
<br />
==== Explicit Consent ====<br />
The more qualified form of ‘explicit’ consent is required within several other provisions across the GDPR. For more detailed information, check out the commentary on [[Article 9 GDPR|Article 9(2)(a) GDPR]], [[Article 22 GDPR|Article 22(2)(c) GDPR]] and [[Article 49 GDPR|Article 49(1) GDPR]].<br />
<br />
===(12) Personal data breach ===<br />
A ‘personal data breach’ can be considered as any security incident regarding personal data. In this regard, the breach has to concern the processing personal data (for ‘personal data’ see Article 4(1) GDPR, for ‘processing’ Article 4(2) GDPR). Although the transmission and storage of data are explicitly highlighted, any type of processing the concerned data is sufficient.<ref>Wording: “otherwise processed”.</ref><br />
<br />
Moreover, it requires a security breach within that processing. Such are any failures of technical or organizational safeguards implemented by the controller according to [[Article 32 GDPR]]. These failures can either be caused through targeted attacks from other parties or through mishandling of personal data through the controller or persons instructed, such as its employees.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).</ref> Some examples for security breaches are:<br />
<br />
* Hacking-Attacks on systems involving personal data,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Missing access protection to data storages or buildings,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Sending data to unintended recipients,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Employees unlawfully distributing data to third parties,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 180 (Nomos 2018).</ref><br />
* Accidentally publishing or leaking data on website,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
* Loss of physical data carriers,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Destruction of data storing infrastructure,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unrestorable encryption through Ransomware,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unlocked storage of employee files.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
<br />
As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
<br />
The notion of a personal data breach becomes especially relevant in terms of notification and communication obligations for controllers to data subjects and DPAs according to [[Article 33 GDPR|Articles 33, 34 GDPR]]. In this regard, the EDPB can issue guidelines, recommendations and best practices for handling personal data breaches, [[Article 70 GDPR|Article 70(1)(g)(h) GDPR]].<ref>See EDPB, Guidelines 01/2021 on Examples regarding Data Breach Notification, 14 January 2021 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf here]).</ref><br />
<br />
===(13) Genetic data===<br />
‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions the growth, metabolism, appearance, diseases or alike, both already existent or entering in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin numbers 106, 108 (Carl Heymanns Verlag 2018).</ref> Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analyses.<br />
<br />
The classification as genetic data is becoming relevant in terms of [[Article 9 GDPR|Article 9(1) GDPR]], that only allows its processing under strict requirements.<ref>Additionally, member states may maintain or introduce further conditions and limitations for the processing of genetic data, [[Article 9 GDPR|Article 9(4) GDPR]].</ref> This is due to the sensitive character of such data, that allows a unique identification of the data subject and at the same time reveals personal health data<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017).</ref> on them and biological relatives.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017); ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 182 (Nomos 2018).</ref> Especially in terms of heritage diseases, genetic data therefore carries a high risk of abuse in terms of employment and insurances.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 96 (C.H. Beck 2018).</ref><br />
<br />
===(14) Biometric data===<br />
‘Biometric data’ means data referring to the physical, physiological and behavioural characteristics of a natural person obtained from specific technical processing allowing for an unique identification. While this generally includes any means to analyse and measure the characteristics of humans<ref>Usually through the creation of referential patterns that are than compared with the data subject later for unique identification, see ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 183 (Nomos 2018).</ref> the technical processing and unique identification requirements place higher burdens.<br />
<br />
The definition itself gives facial images and fingerprints,<ref>Also called 'Dactyloscopic data'.</ref> as examples for biometric data. However, the requirement for specific technical processing, ensures that simple pictures or even passport photographs shall not be considered as such.<ref>Recital 51 GDPR, “''The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person''”.</ref> It is the further processing, for example through the application of facial recognition software, that renders the extracted patterns as biometric data. In this regard, also IRIS Scanners, DNS-Comparisons, voice or gait pattern analyses,<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> as well as typing patterns or even handwritten signatures<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 111 (Carl Heymanns Verlag 2018).</ref> may be considered as biometric data.<br />
<br />
Other data, that does not allow an unique identification, such as the body size or blood type, are not biometric data.<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> However, these could then fall under the definition of ‘health data’ that offers similar protection like for biometric data, according to [[Article 9 GDPR|Article 9(1) GDPR]].<br />
<br />
===(15) Data concerning health===<br />
‘Data concerning health’, or simply ‘health data’, means any data related to the physical or mental health of a natural person, especially the procurement of health care services revealing such information. According to Recital 35 GDPR, these include all data referring to the health status of the data subject from the past, current or future. In this regard, any information on diseases, risks, disabilities, their treatment and medical histories of a particular natural person explicitly qualify as health data.<ref>Recital 35 sentence 2 GDPR.</ref><br />
<br />
Other examples for health data are information about:<br />
<br />
* Addictions to alcohol, drugs or medications as well as the participation in self-help groups<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
* Hospitalizations, sick notes and sick payments<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref><br />
* Information the physical or mental invalidity to work<ref>''Petri'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 15 GDPR, margin number 5 (NOMOS 2019).</ref><br />
* Data from health- or fitness apps on eating or movement patterns, for example from wearables and smartphones<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 118 (Carl Heymanns Verlag 2018).</ref><br />
<br />
The notion of health data is therefore broader than ‘medicinal data’.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 59 (Deutscher Fachverlag 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018).</ref> Furthermore, it strongly overlaps with the notions of genetic and biometric data.<ref>See Recital 35, “''Personal data concerning health should include […] information derived from the testing or examination of one’s body, substances, such as genetic and biological samples''”.</ref> in order to allow a seamless high protection within the scope of [[Article 9 GDPR]].<ref>However, in some cases (e.g. the public health sector) sensitive data can be necessary to be processed without the data subjects consent, see Recital 54 GDPR.</ref> For further information, check the commentary on [[Article 9 GDPR]].<br />
<br />
===(16) Main establishment===<br />
You can help us fill this section!<br />
===(17) Representative===<br />
You can help us fill this section!<br />
===(18) Enterprise===<br />
You can help us fill this section!<br />
===(19) Group of undertakings===<br />
You can help us fill this section!<br />
===(20) Binding corporate rules===<br />
You can help us fill this section!<br />
===(21) Supervisory authority===<br />
You can help us fill this section!<br />
===(22) Supervisory authority concerned===<br />
You can help us fill this section!<br />
===(23) Cross-border processing===<br />
You can help us fill this section!<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20032Article 4 GDPR2021-09-23T13:01:00Z<p>JS: Uploading Article 4(14) GDPR</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
* '''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).</ref><br />
* '''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
* '''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
* '''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
* '''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
* '''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
* '''Alteration''' (changes to the form or content of data), such as corrections, pseudonymisation or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
* '''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
* '''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
* '''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
* '''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company. <br />
* '''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
* '''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
* '''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
* '''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
* '''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
* '''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
* '''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> <br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of Processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref><br />
<br />
Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.<ref>Recital 30 sentence 1 GDPR.</ref> as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore<br />
<br />
* Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref><br />
* Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref><br />
* Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref><br />
<br />
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR, such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref><br />
<br />
===(5) Pseudonymisation===<br />
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.<br />
<br />
Examples for the pseudonymisation of personal data include:<br />
<br />
* Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref><br />
* Encryption or hashing of data<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref><br />
* Pixelation of video materials<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref> <br />
<br />
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> And while some scholars argue for a ‘subjective anonymisation’,<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).</ref> the party undertaking the pseudonymisation is typically able to reassign the data subject.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).</ref><br />
<br />
In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref><br />
<br />
* Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]])<br />
* Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]])<br />
* Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]])<br />
* Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]])<br />
* Implementing Data Protection by Design and Default ([[Article 25 GDPR]])<br />
<br />
===(6) Filing System===<br />
The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]). It is complementing the approach of technological neutrality followed by the GDPR.<br />
<br />
A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> This is already satisfied, when personal data on a particular person is retrievable.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'', C-25/17, Johovan Todistajat, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref><br />
<br />
The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref><br />
<br />
Other examples are:<br />
<br />
* Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Saved letter-correspondence with customers<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Covid-19-Guest-Lists sorted by date<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref><br />
<br />
===(7) Controller===<br />
The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> In this regard, it the controller is to be distinguished from the processor, which is explained in further detail in Article 4(8) GDPR.<br />
<br />
The responsibilities of the controller are defined in [[Article 24 GDPR]]. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR.<br />
<br />
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co controllership’, the entities have to determine their respective responsibilities for the processing within an agreement, according to [[Article 26 GDPR]]. Important, however, is the factual influence on the processing of the personal data,<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> see also Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref><br />
<br />
For example, a joint controllership is assumed between<br />
<br />
* Search-Engines-Operators and the websites of which information is structured, presented and complemented with advertisements within search results<ref>''CJEU'', C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 here]), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.</ref><br />
* Facebook and Administrators of Fan Pages on its social network<ref>''CJEU'', C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available [https://curia.europa.eu/juris/liste.jsf?num=C-210/16 here]), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.</ref><br />
* Facebook and Websites that integrated a ‘Like Button’<ref>''CJEU'', C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-40/17 here]), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.</ref><br />
<br />
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller according to [[Article 26 GDPR]]. For further information see the commentary on that provision.<br />
<br />
===(8) Processor===<br />
The processor is the next entity facing obligations from several provisions across the GDPR, complementing the concept of the controller explained in Article 4(7) GDPR. Any natural, legal person, public authority, agency or body that processes personal data on behalf of the controller qualifies as a processor.<br />
<br />
The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref> Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref><br />
<br />
Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> developed some examples as references for controller-processor relationships:<br />
<br />
* Outsourcing of Callcenters for Customer Communications<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Outsourcing of Mail Services<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Cloud Hosting and Grid Computing<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]) and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).]</ref><br />
* A Separated Entity Specialized in Data Processing within a Group of Companies<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref><br />
<br />
When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of special relevance is [[Article 28 GDPR]], that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on [[Article 28 GDPR|Article 28(3) GDPR]].<br />
<br />
A special form of the processor is the ‘sub processor’ engaged by the processor, which requires another processing agreement and authorisation through the controller. For further information see the commentary on [[Article 28 GDPR|Article 28(2),(4) GDPR]].<br />
<br />
===(9) Recipient===<br />
Another entity defined in the GDPR is the recipient. The notion of the recipient is kept very broadly, i.e. any party which personal data is disclosed to, independently of whether it is a third party or not. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]).</ref><br />
<br />
The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,<ref>More precise, [[Article 13 GDPR|Article 13(1)(e) GDPR]], [[Article 14 GDPR|Article 14(1)(e) GDPR]], [[Article 15 GDPR|Article 15(1)(c) GDPR]].</ref> the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind is, that the controller whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).</ref><br />
<br />
In this regard, it is discussed, whether a processor is also a recipient. One the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.<ref>See Article 4(8) GDPR and Article 4(10) GDPR.</ref> However, the concept of the recipient is completely independent of that of the third-party.<ref>See Article 4(9) GDPR, “whether a third party or not“.</ref> With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, [[Article 28 GDPR]] does not relieve the controller to inform the data subjects about its processors as recipients according to [[Article 13 GDPR|Article 13 to 15 GDPR]].<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).</ref><br />
<br />
Not considered a recipient are, on the other hand, particular units within a company, such as the staff council or dependent establishments of the controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).</ref> The wording of the provision suggests that the entity requires a particular degree of sovereignty in order to count as recipient.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 57 (C.H. Beck 2018) and ''Regenhardt'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 156 (Nomos 2018).</ref> Units that are inseparable part of the internal structure of the controller are therefore not to classify as recipients.<br />
<br />
Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref><br />
<br />
===(10) Third Party===<br />
The concept of a third party complements the previously defined entities. It constitutes a negative delimitation, as any person different from the data subject, controller, processor or any other person authorized to process personal data by the controller. Its notion becomes mainly relevant in terms of evaluating of interests, such as in Article 6 (1)(f) GDPR.<ref>See also [[Article 13 GDPR|Article 13(1)(d) GDPR]], [[Article 14 GDPR|Article 14(2)(b) GDPR]].</ref><br />
<br />
Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).</ref> Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).</ref> Similarly, internal staff of the controller is not a third party, unless the employee uses personal data for own purposes outside of the employment context.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).</ref> In this regard, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).</ref><br />
<br />
===(11) Consent===<br />
Consent is the first legal basis mentioned in Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data. It can be given either by a written, electronic or an oral statement.<ref>Recital 32 sentence 1 GDPR.</ref> Examples are ticking a box or actively choosing technical settings that indicate the data subject’s acceptance of the proposed processing of his or her personal data.<ref>Recital 32 sentence 2 GDPR.</ref><br />
<br />
The notion of consent within the GDPR is different from its constitutional equivalent in [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(2) ECFR]. Consent in the GDPR is neither a waiver of fundamental rights, nor a justification for interferences with fundamental rights.<ref>''Klement'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 7 GDPR, margin number 18 (NOMOS 2019).</ref> Rather, it should be seen as an exception from the general prohibition of processing of personal data under [[Article 6 GDPR|Article 6(1) GDPR]].<br />
<br />
To ensure that consent is not only a legal fiction, it requires additional and cumulative criteria, regulated within its definition and complemented through [[Article 7 GDPR]]. In order for consent to be valid, it has to be freely given, informed, specific and unambiguous. It is the controller’s duty to demonstrate that the data subject has given such consent to the processing of his or her personal data.<ref>[[Article 7 GDPR|Article 7(1) GDPR]], Recital 42 sentence 1 GDPR.</ref><br />
<br />
==== Freely Given ====<br />
Consent is only freely given, where there is no clear imbalance between the data subject and the controller.<ref>Recital 43 sentence 1 GDPR.</ref> Also, it shall not be considered freely given when it is conditional on the processing of personal data that is not necessary for the performance of the service.<ref>Recital 43 sentence 2 GDPR.</ref><br />
<br />
Examples where asymmetries of power and bundled consent usually occur are:<br />
<br />
* Relationships with Public Authorities<ref>Recital 43 sentence 1 GDPR, and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 98 (Carl Heymanns Verlag 2018).</ref><br />
* Employer-Employee-Relationships<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 71 (C.H. Beck 2018).</ref><br />
* Use of Major Digital Services with limited alternatives<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 73, 76 (C.H. Beck 2018).</ref><br />
<br />
==== Informed ====<br />
Consent needs to be provided in an intelligible and easily accessible form, using clear and plain language. Data Subjects must be able to understand the circumstances of processing of their personal data to estimate the consequences and implications of giving their consent.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin numbers 2, 5 (C.H. Beck 2020).</ref> According to recent case-law of the Court of Justice, the information shall also be “digested” by the data subject.<ref>EUCJ, C‑61/19, Orange România, 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/liste.jsf?num=C-61/19&language=en here]).</ref> This seems to give information a more substantive and functional role. Moreover, the information has to be presented in a manner which is clearly distinguishable from other matters, like terms and conditions. For more information, see the commentary on [[Article 7 GDPR|Article 7(2) GDPR]].<br />
<br />
==== Specific ====<br />
In accordance with the principle of transparency from [[Article 5 GDPR|Article 5(1)(b) GDPR]] consent must be provided for specific and legitimate purposes. While consent to the processing of personal data can be given for one or multiple purposes at the same time,<ref>Recital 32 sentences 5, 6 GDPR.</ref> intentions and limitations must be formulated as precisely as possible. A blanket consent to all kinds of purposes is therefore not valid. For more information, see the commentary on [[Article 6 GDPR|Article 6(1)(a) GDPR]].<br />
<br />
==== Unambiguous ====<br />
Consent must be given unambiguously in the form of clear and affirmative action. Silence, pre-ticked boxes or inactivity should not constitute consent.<ref>Recital 32 sentence 3 GDPR.</ref> This has been stressed through recent case law by the Court of Justice in terms of cookies, where a pre-checked checkbox which the user must deselect to refuse his or her consent cannot demonstrate active behaviour.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/1 here]).</ref><br />
<br />
==== Withdrawal ====<br />
Consent can be withdrawn at any time. Withdrawing of consent shall be as easy as it was giving it. The controller has to inform the data subject on the possibility to withdraw consent prior to the processing. For further information, see the commentary on [[Article 7 GDPR|Article 7(3) GDPR]].<br />
<br />
==== Capacity ====<br />
Generally, consent must be given directly by the data subject or a nominated representative.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).</ref> In the case of minors, the ability to consent is based on the individual cognitive faculty of the data subject.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin number 67 (C.H. Beck 2020); ''Ernst'', Die Einwilligung nach der Datenschutzgrundverordnung, in Zeitschrift für Datenschutz, 03/07, (2017), p. 111.</ref> In the online context, [[Article 8 GDPR|Article 8(1) GDPR]] provides a minimum age of 16, while member states may not reduce that age limit to below 13.<br />
<br />
==== Explicit Consent ====<br />
The more qualified form of ‘explicit’ consent is required within several other provisions across the GDPR. For more detailed information, check out the commentary on [[Article 9 GDPR|Article 9(2)(a) GDPR]], [[Article 22 GDPR|Article 22(2)(c) GDPR]] and [[Article 49 GDPR|Article 49(1) GDPR]].<br />
<br />
===(12) Personal data breach ===<br />
A ‘personal data breach’ can be considered as any security incident regarding personal data. In this regard, the breach has to concern the processing personal data (for ‘personal data’ see Article 4(1) GDPR, for ‘processing’ Article 4(2) GDPR). Although the transmission and storage of data are explicitly highlighted, any type of processing the concerned data is sufficient.<ref>Wording: “otherwise processed”.</ref><br />
<br />
Moreover, it requires a security breach within that processing. Such are any failures of technical or organizational safeguards implemented by the controller according to [[Article 32 GDPR]]. These failures can either be caused through targeted attacks from other parties or through mishandling of personal data through the controller or persons instructed, such as its employees.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).</ref> Some examples for security breaches are:<br />
<br />
* Hacking-Attacks on systems involving personal data,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Missing access protection to data storages or buildings,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Sending data to unintended recipients,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Employees unlawfully distributing data to third parties,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 180 (Nomos 2018).</ref><br />
* Accidentally publishing or leaking data on website,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
* Loss of physical data carriers,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Destruction of data storing infrastructure,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unrestorable encryption through Ransomware,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unlocked storage of employee files.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
<br />
As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
<br />
The notion of a personal data breach becomes especially relevant in terms of notification and communication obligations for controllers to data subjects and DPAs according to [[Article 33 GDPR|Articles 33, 34 GDPR]]. In this regard, the EDPB can issue guidelines, recommendations and best practices for handling personal data breaches, [[Article 70 GDPR|Article 70(1)(g)(h) GDPR]].<ref>See EDPB, Guidelines 01/2021 on Examples regarding Data Breach Notification, 14 January 2021 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf here]).</ref><br />
<br />
===(13) Genetic data===<br />
‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions the growth, metabolism, appearance, diseases or alike, both already existent or entering in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin numbers 106, 108 (Carl Heymanns Verlag 2018).</ref> Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analyses.<br />
<br />
The classification as genetic data is becoming relevant in terms of [[Article 9 GDPR|Article 9(1) GDPR]], that only allows its processing under strict requirements.<ref>Additionally, member states may maintain or introduce further conditions and limitations for the processing of genetic data, [[Article 9 GDPR|Article 9(4) GDPR]].</ref> This is due to the sensitive character of such data, that allows a unique identification of the data subject and at the same time reveals personal health data<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017).</ref> on them and biological relatives.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017); ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 182 (Nomos 2018).</ref> Especially in terms of heritage diseases, genetic data therefore carries a high risk of abuse in terms of employment and insurances.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 96 (C.H. Beck 2018).</ref><br />
<br />
===(14) Biometric data===<br />
‘Biometric data’ means data referring to the physical, physiological and behavioural characteristics of a natural person obtained from specific technical processing allowing for an unique identification. While this generally includes any means to analyse and measure the characteristics of humans<ref>Usually through the creation of referential patterns that are than compared with the data subject later for unique identification, see ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 183 (Nomos 2018).</ref> the technical processing and unique identification requirements place higher burdens.<br />
<br />
The definition itself gives facial images and fingerprints,<ref>Also called 'Dactyloscopic data'.</ref> as examples for biometric data. However, the requirement for specific technical processing, ensures that simple pictures or even passport photographs shall not be considered as such.<ref>Recital 51 GDPR, “''The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person''”.</ref> It is the further processing, for example through the application of facial recognition software, that renders the extracted patterns as biometric data. In this regard, also IRIS Scanners, DNS-Comparisons, voice or gait pattern analyses,<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> as well as typing patterns or even handwritten signatures<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 111 (Carl Heymanns Verlag 2018).</ref> may be considered as biometric data.<br />
<br />
Other data, that does not allow an unique identification, such as the body size or blood type, are not biometric data.<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> However, these could then fall under the definition of ‘health data’ that offers similar protection like for biometric data, according to Article 9(1) GDPR.<br />
<br />
===(15) Data concerning health===<br />
You can help us fill this section!<br />
===(16) Main establishment===<br />
You can help us fill this section!<br />
===(17) Representative===<br />
You can help us fill this section!<br />
===(18) Enterprise===<br />
You can help us fill this section!<br />
===(19) Group of undertakings===<br />
You can help us fill this section!<br />
===(20) Binding corporate rules===<br />
You can help us fill this section!<br />
===(21) Supervisory authority===<br />
You can help us fill this section!<br />
===(22) Supervisory authority concerned===<br />
You can help us fill this section!<br />
===(23) Cross-border processing===<br />
You can help us fill this section!<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20031Article 4 GDPR2021-09-23T12:57:05Z<p>JS: Uploading Article 4(13) GDPR</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
* '''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).</ref><br />
* '''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
* '''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
* '''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
* '''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
* '''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
* '''Alteration''' (changes to the form or content of data), such as corrections, pseudonymisation or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
* '''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
* '''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
* '''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
* '''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company. <br />
* '''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
* '''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
* '''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
* '''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
* '''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
* '''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
* '''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> <br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of Processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref><br />
<br />
Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.<ref>Recital 30 sentence 1 GDPR.</ref> as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore<br />
<br />
* Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref><br />
* Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref><br />
* Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref><br />
<br />
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR, such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref><br />
<br />
===(5) Pseudonymisation===<br />
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.<br />
<br />
Examples for the pseudonymisation of personal data include:<br />
<br />
* Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref><br />
* Encryption or hashing of data<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref><br />
* Pixelation of video materials<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref> <br />
<br />
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> And while some scholars argue for a ‘subjective anonymisation’,<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).</ref> the party undertaking the pseudonymisation is typically able to reassign the data subject.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).</ref><br />
<br />
In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref><br />
<br />
* Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]])<br />
* Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]])<br />
* Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]])<br />
* Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]])<br />
* Implementing Data Protection by Design and Default ([[Article 25 GDPR]])<br />
<br />
===(6) Filing System===<br />
The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]). It is complementing the approach of technological neutrality followed by the GDPR.<br />
<br />
A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> This is already satisfied, when personal data on a particular person is retrievable.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'', C-25/17, Johovan Todistajat, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref><br />
<br />
The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref><br />
<br />
Other examples are:<br />
<br />
* Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Saved letter-correspondence with customers<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Covid-19-Guest-Lists sorted by date<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref><br />
<br />
===(7) Controller===<br />
The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> In this regard, it the controller is to be distinguished from the processor, which is explained in further detail in Article 4(8) GDPR.<br />
<br />
The responsibilities of the controller are defined in [[Article 24 GDPR]]. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR.<br />
<br />
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co controllership’, the entities have to determine their respective responsibilities for the processing within an agreement, according to [[Article 26 GDPR]]. Important, however, is the factual influence on the processing of the personal data,<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> see also Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref><br />
<br />
For example, a joint controllership is assumed between<br />
<br />
* Search-Engines-Operators and the websites of which information is structured, presented and complemented with advertisements within search results<ref>''CJEU'', C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 here]), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.</ref><br />
* Facebook and Administrators of Fan Pages on its social network<ref>''CJEU'', C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available [https://curia.europa.eu/juris/liste.jsf?num=C-210/16 here]), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.</ref><br />
* Facebook and Websites that integrated a ‘Like Button’<ref>''CJEU'', C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-40/17 here]), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.</ref><br />
<br />
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller according to [[Article 26 GDPR]]. For further information see the commentary on that provision.<br />
<br />
===(8) Processor===<br />
The processor is the next entity facing obligations from several provisions across the GDPR, complementing the concept of the controller explained in Article 4(7) GDPR. Any natural, legal person, public authority, agency or body that processes personal data on behalf of the controller qualifies as a processor.<br />
<br />
The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref> Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref><br />
<br />
Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> developed some examples as references for controller-processor relationships:<br />
<br />
* Outsourcing of Callcenters for Customer Communications<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Outsourcing of Mail Services<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Cloud Hosting and Grid Computing<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]) and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).]</ref><br />
* A Separated Entity Specialized in Data Processing within a Group of Companies<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref><br />
<br />
When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of special relevance is [[Article 28 GDPR]], that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on [[Article 28 GDPR|Article 28(3) GDPR]].<br />
<br />
A special form of the processor is the ‘sub processor’ engaged by the processor, which requires another processing agreement and authorisation through the controller. For further information see the commentary on [[Article 28 GDPR|Article 28(2),(4) GDPR]].<br />
<br />
===(9) Recipient===<br />
Another entity defined in the GDPR is the recipient. The notion of the recipient is kept very broadly, i.e. any party which personal data is disclosed to, independently of whether it is a third party or not. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]).</ref><br />
<br />
The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,<ref>More precise, [[Article 13 GDPR|Article 13(1)(e) GDPR]], [[Article 14 GDPR|Article 14(1)(e) GDPR]], [[Article 15 GDPR|Article 15(1)(c) GDPR]].</ref> the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind is, that the controller whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).</ref><br />
<br />
In this regard, it is discussed, whether a processor is also a recipient. One the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.<ref>See Article 4(8) GDPR and Article 4(10) GDPR.</ref> However, the concept of the recipient is completely independent of that of the third-party.<ref>See Article 4(9) GDPR, “whether a third party or not“.</ref> With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, [[Article 28 GDPR]] does not relieve the controller to inform the data subjects about its processors as recipients according to [[Article 13 GDPR|Article 13 to 15 GDPR]].<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).</ref><br />
<br />
Not considered a recipient are, on the other hand, particular units within a company, such as the staff council or dependent establishments of the controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).</ref> The wording of the provision suggests that the entity requires a particular degree of sovereignty in order to count as recipient.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 57 (C.H. Beck 2018) and ''Regenhardt'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 156 (Nomos 2018).</ref> Units that are inseparable part of the internal structure of the controller are therefore not to classify as recipients.<br />
<br />
Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref><br />
<br />
===(10) Third Party===<br />
The concept of a third party complements the previously defined entities. It constitutes a negative delimitation, as any person different from the data subject, controller, processor or any other person authorized to process personal data by the controller. Its notion becomes mainly relevant in terms of evaluating of interests, such as in Article 6 (1)(f) GDPR.<ref>See also [[Article 13 GDPR|Article 13(1)(d) GDPR]], [[Article 14 GDPR|Article 14(2)(b) GDPR]].</ref><br />
<br />
Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).</ref> Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).</ref> Similarly, internal staff of the controller is not a third party, unless the employee uses personal data for own purposes outside of the employment context.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).</ref> In this regard, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).</ref><br />
<br />
===(11) Consent===<br />
Consent is the first legal basis mentioned in Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data. It can be given either by a written, electronic or an oral statement.<ref>Recital 32 sentence 1 GDPR.</ref> Examples are ticking a box or actively choosing technical settings that indicate the data subject’s acceptance of the proposed processing of his or her personal data.<ref>Recital 32 sentence 2 GDPR.</ref><br />
<br />
The notion of consent within the GDPR is different from its constitutional equivalent in [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(2) ECFR]. Consent in the GDPR is neither a waiver of fundamental rights, nor a justification for interferences with fundamental rights.<ref>''Klement'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 7 GDPR, margin number 18 (NOMOS 2019).</ref> Rather, it should be seen as an exception from the general prohibition of processing of personal data under [[Article 6 GDPR|Article 6(1) GDPR]].<br />
<br />
To ensure that consent is not only a legal fiction, it requires additional and cumulative criteria, regulated within its definition and complemented through [[Article 7 GDPR]]. In order for consent to be valid, it has to be freely given, informed, specific and unambiguous. It is the controller’s duty to demonstrate that the data subject has given such consent to the processing of his or her personal data.<ref>[[Article 7 GDPR|Article 7(1) GDPR]], Recital 42 sentence 1 GDPR.</ref><br />
<br />
==== Freely Given ====<br />
Consent is only freely given, where there is no clear imbalance between the data subject and the controller.<ref>Recital 43 sentence 1 GDPR.</ref> Also, it shall not be considered freely given when it is conditional on the processing of personal data that is not necessary for the performance of the service.<ref>Recital 43 sentence 2 GDPR.</ref><br />
<br />
Examples where asymmetries of power and bundled consent usually occur are:<br />
<br />
* Relationships with Public Authorities<ref>Recital 43 sentence 1 GDPR, and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 98 (Carl Heymanns Verlag 2018).</ref><br />
* Employer-Employee-Relationships<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 71 (C.H. Beck 2018).</ref><br />
* Use of Major Digital Services with limited alternatives<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 73, 76 (C.H. Beck 2018).</ref><br />
<br />
==== Informed ====<br />
Consent needs to be provided in an intelligible and easily accessible form, using clear and plain language. Data Subjects must be able to understand the circumstances of processing of their personal data to estimate the consequences and implications of giving their consent.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin numbers 2, 5 (C.H. Beck 2020).</ref> According to recent case-law of the Court of Justice, the information shall also be “digested” by the data subject.<ref>EUCJ, C‑61/19, Orange România, 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/liste.jsf?num=C-61/19&language=en here]).</ref> This seems to give information a more substantive and functional role. Moreover, the information has to be presented in a manner which is clearly distinguishable from other matters, like terms and conditions. For more information, see the commentary on [[Article 7 GDPR|Article 7(2) GDPR]].<br />
<br />
==== Specific ====<br />
In accordance with the principle of transparency from [[Article 5 GDPR|Article 5(1)(b) GDPR]] consent must be provided for specific and legitimate purposes. While consent to the processing of personal data can be given for one or multiple purposes at the same time,<ref>Recital 32 sentences 5, 6 GDPR.</ref> intentions and limitations must be formulated as precisely as possible. A blanket consent to all kinds of purposes is therefore not valid. For more information, see the commentary on [[Article 6 GDPR|Article 6(1)(a) GDPR]].<br />
<br />
==== Unambiguous ====<br />
Consent must be given unambiguously in the form of clear and affirmative action. Silence, pre-ticked boxes or inactivity should not constitute consent.<ref>Recital 32 sentence 3 GDPR.</ref> This has been stressed through recent case law by the Court of Justice in terms of cookies, where a pre-checked checkbox which the user must deselect to refuse his or her consent cannot demonstrate active behaviour.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/1 here]).</ref><br />
<br />
==== Withdrawal ====<br />
Consent can be withdrawn at any time. Withdrawing of consent shall be as easy as it was giving it. The controller has to inform the data subject on the possibility to withdraw consent prior to the processing. For further information, see the commentary on [[Article 7 GDPR|Article 7(3) GDPR]].<br />
<br />
==== Capacity ====<br />
Generally, consent must be given directly by the data subject or a nominated representative.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).</ref> In the case of minors, the ability to consent is based on the individual cognitive faculty of the data subject.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin number 67 (C.H. Beck 2020); ''Ernst'', Die Einwilligung nach der Datenschutzgrundverordnung, in Zeitschrift für Datenschutz, 03/07, (2017), p. 111.</ref> In the online context, [[Article 8 GDPR|Article 8(1) GDPR]] provides a minimum age of 16, while member states may not reduce that age limit to below 13.<br />
<br />
==== Explicit Consent ====<br />
The more qualified form of ‘explicit’ consent is required within several other provisions across the GDPR. For more detailed information, check out the commentary on [[Article 9 GDPR|Article 9(2)(a) GDPR]], [[Article 22 GDPR|Article 22(2)(c) GDPR]] and [[Article 49 GDPR|Article 49(1) GDPR]].<br />
<br />
===(12) Personal data breach ===<br />
A ‘personal data breach’ can be considered as any security incident regarding personal data. In this regard, the breach has to concern the processing personal data (for ‘personal data’ see Article 4(1) GDPR, for ‘processing’ Article 4(2) GDPR). Although the transmission and storage of data are explicitly highlighted, any type of processing the concerned data is sufficient.<ref>Wording: “otherwise processed”.</ref><br />
<br />
Moreover, it requires a security breach within that processing. Such are any failures of technical or organizational safeguards implemented by the controller according to [[Article 32 GDPR]]. These failures can either be caused through targeted attacks from other parties or through mishandling of personal data through the controller or persons instructed, such as its employees.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).</ref> Some examples for security breaches are:<br />
<br />
* Hacking-Attacks on systems involving personal data,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Missing access protection to data storages or buildings,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Sending data to unintended recipients,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Employees unlawfully distributing data to third parties,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 180 (Nomos 2018).</ref><br />
* Accidentally publishing or leaking data on website,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
* Loss of physical data carriers,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Destruction of data storing infrastructure,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unrestorable encryption through Ransomware,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unlocked storage of employee files.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
<br />
As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
<br />
The notion of a personal data breach becomes especially relevant in terms of notification and communication obligations for controllers to data subjects and DPAs according to [[Article 33 GDPR|Articles 33, 34 GDPR]]. In this regard, the EDPB can issue guidelines, recommendations and best practices for handling personal data breaches, [[Article 70 GDPR|Article 70(1)(g)(h) GDPR]].<ref>See EDPB, Guidelines 01/2021 on Examples regarding Data Breach Notification, 14 January 2021 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf here]).</ref><br />
<br />
===(13) Genetic data===<br />
‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions the growth, metabolism, appearance, diseases or alike, both already existent or entering in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin numbers 106, 108 (Carl Heymanns Verlag 2018).</ref> Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analyses.<br />
<br />
The classification as genetic data is becoming relevant in terms of [[Article 9 GDPR|Article 9(1) GDPR]], that only allows its processing under strict requirements.<ref>Additionally, member states may maintain or introduce further conditions and limitations for the processing of genetic data, [[Article 9 GDPR|Article 9(4) GDPR]].</ref> This is due to the sensitive character of such data, that allows a unique identification of the data subject and at the same time reveals personal health data<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017).</ref> on them and biological relatives.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017); ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 182 (Nomos 2018).</ref> Especially in terms of heritage diseases, genetic data therefore carries a high risk of abuse in terms of employment and insurances.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 96 (C.H. Beck 2018).</ref><br />
<br />
===(14) Biometric data===<br />
You can help us fill this section!<br />
===(15) Data concerning health===<br />
You can help us fill this section!<br />
===(16) Main establishment===<br />
You can help us fill this section!<br />
===(17) Representative===<br />
You can help us fill this section!<br />
===(18) Enterprise===<br />
You can help us fill this section!<br />
===(19) Group of undertakings===<br />
You can help us fill this section!<br />
===(20) Binding corporate rules===<br />
You can help us fill this section!<br />
===(21) Supervisory authority===<br />
You can help us fill this section!<br />
===(22) Supervisory authority concerned===<br />
You can help us fill this section!<br />
===(23) Cross-border processing===<br />
You can help us fill this section!<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20030Article 4 GDPR2021-09-23T12:45:23Z<p>JS: Uploading Article 4(12) GDPR</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
* '''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).</ref><br />
* '''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
* '''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
* '''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
* '''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
* '''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
* '''Alteration''' (changes to the form or content of data), such as corrections, pseudonymization or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
* '''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
* '''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
* '''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
* '''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company. <br />
* '''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
* '''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
* '''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
* '''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
* '''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
* '''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
* '''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> <br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of Processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref><br />
<br />
Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.<ref>Recital 30 sentence 1 GDPR.</ref> as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore<br />
<br />
* Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref><br />
* Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref><br />
* Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref><br />
<br />
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR, such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref><br />
<br />
===(5) Pseudonymisation===<br />
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.<br />
<br />
Examples for the pseudonymisation of personal data include:<br />
<br />
* Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref><br />
* Encryption or hashing of data<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref><br />
* Pixelation of video materials<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref> <br />
<br />
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> And while some scholars argue for a ‘subjective anonymisation’,<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).</ref> the party undertaking the pseudonymisation is typically able to reassign the data subject.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).</ref><br />
<br />
In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref><br />
<br />
* Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]])<br />
* Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]])<br />
* Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]])<br />
* Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]])<br />
* Implementing Data Protection by Design and Default ([[Article 25 GDPR]])<br />
<br />
===(6) Filing System===<br />
The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]). It is complementing the approach of technological neutrality followed by the GDPR.<br />
<br />
A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> This is already satisfied, when personal data on a particular person is retrievable.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'', C-25/17, Johovan Todistajat, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref><br />
<br />
The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref><br />
<br />
Other examples are:<br />
<br />
* Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Saved letter-correspondence with customers<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Covid-19-Guest-Lists sorted by date<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref><br />
<br />
===(7) Controller===<br />
The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> In this regard, it the controller is to be distinguished from the processor, which is explained in further detail in Article 4(8) GDPR.<br />
<br />
The responsibilities of the controller are defined in [[Article 24 GDPR]]. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR.<br />
<br />
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co controllership’, the entities have to determine their respective responsibilities for the processing within an agreement, according to [[Article 26 GDPR]]. Important, however, is the factual influence on the processing of the personal data,<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> see also Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref><br />
<br />
For example, a joint controllership is assumed between<br />
<br />
* Search-Engines-Operators and the websites of which information is structured, presented and complemented with advertisements within search results<ref>''CJEU'', C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 here]), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.</ref><br />
* Facebook and Administrators of Fan Pages on its social network<ref>''CJEU'', C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available [https://curia.europa.eu/juris/liste.jsf?num=C-210/16 here]), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.</ref><br />
* Facebook and Websites that integrated a ‘Like Button’<ref>''CJEU'', C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-40/17 here]), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.</ref><br />
<br />
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller according to [[Article 26 GDPR]]. For further information see the commentary on that provision.<br />
<br />
===(8) Processor===<br />
The processor is the next entity facing obligations from several provisions across the GDPR, complementing the concept of the controller explained in Article 4(7) GDPR. Any natural, legal person, public authority, agency or body that processes personal data on behalf of the controller qualifies as a processor.<br />
<br />
The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref> Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref><br />
<br />
Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> developed some examples as references for controller-processor relationships:<br />
<br />
* Outsourcing of Callcenters for Customer Communications<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Outsourcing of Mail Services<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Cloud Hosting and Grid Computing<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]) and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).]</ref><br />
* A Separated Entitiy Specialized in Data Processing within a Group of Companies<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref><br />
<br />
When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of special relevance is [[Article 28 GDPR]], that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on [[Article 28 GDPR|Article 28(3) GDPR]].<br />
<br />
A special form of the processor is the ‘sub processor’ engaged by the processor, which requires another processing agreement and authorisation through the controller. For further information see the commentary on [[Article 28 GDPR|Article 28(2),(4) GDPR]].<br />
<br />
===(9) Recipient===<br />
Another entity defined in the GDPR is the recipient. The notion of the recipient is kept very broadly, i.e. any party which personal data is disclosed to, independently of whether it is a third party or not. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]).</ref><br />
<br />
The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,<ref>More precise, [[Article 13 GDPR|Article 13(1)(e) GDPR]], [[Article 14 GDPR|Article 14(1)(e) GDPR]], [[Article 15 GDPR|Article 15(1)(c) GDPR]].</ref> the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind is, that the controller whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).</ref><br />
<br />
In this regard, it is discussed, whether a processor is also a recipient. One the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.<ref>See Article 4(8) GDPR and Article 4(10) GDPR.</ref> However, the concept of the recipient is completely indepent of that of the third-party.<ref>See Article 4(9) GDPR, “whether a third party or not“.</ref> With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, [[Article 28 GDPR]] does not relieve the controller to inform the data subjects about its processors as recipients according to [[Article 13 GDPR|Article 13 to 15 GDPR]].<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).</ref><br />
<br />
Not considered a recipient are, on the other hand, particular units within a company, such as the staff council or dependent establishments of the controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).</ref> The wording of the provision suggests that the entity requires a particular degree of sovereignity in order to count as recipient.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 57 (C.H. Beck 2018) and ''Regenhardt'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 156 (Nomos 2018).</ref> Units that are inseperable part of the internal structure of the controller are therefore not to classify as recipients.<br />
<br />
Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref><br />
<br />
===(10) Third Party===<br />
The concept of a third party complements the previously defined entities. It constitutes a negative delimitation, as any person different from the data subject, controller, processor or any other person authorized to process personal data by the controller. Its notion becomes mainly relevant in terms of evaluating of interests, such as in Article 6 (1)(f) GDPR.<ref>See also [[Article 13 GDPR|Article 13(1)(d) GDPR]], [[Article 14 GDPR|Article 14(2)(b) GDPR]].</ref><br />
<br />
Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).</ref> Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).</ref> Similarly, internal staff of the controller is not a third party, unless the employee uses personal data for own purposes outside of the employment context.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).</ref> In this regard, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).</ref><br />
<br />
===(11) Consent===<br />
Consent is the first legal basis mentioned in Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data. It can be given either by a written, electronic or an oral statement.<ref>Recital 32 sentence 1 GDPR.</ref> Examples are ticking a box or actively choosing technical settings that indicate the data subject’s acceptance of the proposed processing of his or her personal data.<ref>Recital 32 sentence 2 GDPR.</ref><br />
<br />
The notion of consent within the GDPR is different from its constitutional equivalent in [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(2) ECFR]. Consent in the GDPR is neither a waiver of fundamental rights, nor a justification for interferences with fundamental rights.<ref>''Klement'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 7 GDPR, margin number 18 (NOMOS 2019).</ref> Rather, it should be seen as an exception from the general prohibition of processing of personal data under [[Article 6 GDPR|Article 6(1) GDPR]].<br />
<br />
To ensure that consent is not only a legal fiction, it requires additional and cumulative criteria, regulated within its definition and complemented through [[Article 7 GDPR]]. In order for consent to be valid, it has to be freely given, informed, specific and unambiguous. It is the controller’s duty to demonstrate that the data subject has given such consent to the processing of his or her personal data.<ref>[[Article 7 GDPR|Article 7(1) GDPR]], Recital 42 sentence 1 GDPR.</ref><br />
<br />
==== Freely Given ====<br />
Consent is only freely given, where there is no clear imbalance between the data subject and the controller.<ref>Recital 43 sentence 1 GDPR.</ref> Also, it shall not be considered freely given when it is conditional on the processing of personal data that is not necessary for the performance of the service.<ref>Recital 43 sentence 2 GDPR.</ref><br />
<br />
Examples where asymmetries of power and bundled consent usually occur are:<br />
<br />
* Relationships with Public Authorities<ref>Recital 43 sentence 1 GDPR, and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 98 (Carl Heymanns Verlag 2018).</ref><br />
* Employer-Employee-Relationships<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 71 (C.H. Beck 2018).</ref><br />
* Use of Major Digital Services with limited alternatives<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 73, 76 (C.H. Beck 2018).</ref><br />
<br />
==== Informed ====<br />
Consent needs to be provided in an intelligible and easily accessible form, using clear and plain language. Data Subjects must be able to understand the circumstances of processing of their personal data to estimate the consequences and implications of giving their consent.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin numbers 2, 5 (C.H. Beck 2020).</ref> According to recent case-law of the Court of Justice, the information shall also be “digested” by the data subject.<ref>EUCJ, C‑61/19, Orange România, 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/liste.jsf?num=C-61/19&language=en here]).</ref> This seems to give information a more substantive and functional role. Moreover, the information has to be presented in a manner which is clearly distinguishable from other matters, like terms and conditions. For more information, see the commentary on [[Article 7 GDPR|Article 7(2) GDPR]].<br />
<br />
==== Specific ====<br />
In accordance with the principle of transparency from [[Article 5 GDPR|Article 5(1)(b) GDPR]] consent must be provided for specific and legitimate purposes. While consent to the processing of personal data can be given for one or multiple purposes at the same time,<ref>Recital 32 sentences 5, 6 GDPR.</ref> intentions and limitations must be formulated as precisely as possible. A blanket consent to all kinds of purposes is therefore not valid. For more information, see the commentary on [[Article 6 GDPR|Article 6(1)(a) GDPR]].<br />
<br />
==== Unambiguous ====<br />
Consent must be given unambiguously in the form of clear and affirmative action. Silence, pre-ticked boxes or inactivity should not constitute consent.<ref>Recital 32 sentence 3 GDPR.</ref> This has been stressed through recent case law by the Court of Justice in terms of cookies, where a pre-checked checkbox which the user must deselect to refuse his or her consent cannot demonstrate active behaviour.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/1 here]).</ref><br />
<br />
==== Withdrawal ====<br />
Consent can be withdrawn at any time. Withdrawing of consent shall be as easy as it was giving it. The controller has to inform the data subject on the possibility to withdraw consent prior to the processing. For further information, see the commentary on [[Article 7 GDPR|Article 7(3) GDPR]].<br />
<br />
==== Capacity ====<br />
Generally, consent must be given directly by the data subject or a nominated representative.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).</ref> In the case of minors, the ability to consent is based on the individual cognitive faculty of the data subject.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin number 67 (C.H. Beck 2020); ''Ernst'', Die Einwilligung nach der Datenschutzgrundverordnung, in Zeitschrift für Datenschutz, 03/07, (2017), p. 111.</ref> In the online context, [[Article 8 GDPR|Article 8(1) GDPR]] provides a minimum age of 16, while member states may not reduce that age limit to below 13.<br />
<br />
==== Explicit Consent ====<br />
The more qualified form of ‘explicit’ consent is required within several other provisions across the GDPR. For more detailed information, check out the commentary on [[Article 9 GDPR|Article 9(2)(a) GDPR]], [[Article 22 GDPR|Article 22(2)(c) GDPR]] and [[Article 49 GDPR|Article 49(1) GDPR]].<br />
<br />
===(12) Personal data breach ===<br />
A ‘personal data breach’ can be considered as any security incident regarding personal data. In this regard, the breach has to concern the processing personal data (for ‘personal data’ see Article 4(1) GDPR, for ‘processing’ Article 4(2) GDPR). Although the transmission and storage of data are explicitly highlighted, any type of processing the concerned data is sufficient.<ref>Wording: “otherwise processed”.</ref><br />
<br />
Moreover, it requires a security breach within that processing. Such are any failures of technical or organizational safeguards implemented by the controller according to [[Article 32 GDPR]]. These failures can either be caused through targeted attacks from other parties or through mishandling of personal data through the controller or persons instructed, such as its employees.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).</ref> Some examples for security breaches are:<br />
<br />
* Hacking-Attacks on systems involving personal data,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Missing access protection to data storages or buildings,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Sending data to unintended recipients,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Employees unlawfully distributing data to third parties,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 180 (Nomos 2018).</ref><br />
* Accidentally publishing or leaking data on website,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
* Loss of physical data carriers,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
* Destruction of data storing infastructure,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unrestorable encryption through Ransomware,<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref><br />
* Unlocked storage of employee files.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref><br />
<br />
As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref><br />
<br />
The notion of a personal data breach becomes especially relevant in terms of notification and communication obligations for controllers to data subjects and DPAs according to [[Article 33 GDPR|Articles 33, 34 GDPR]]. In this regard, the EDPB can issue guidelines, recommendations and best practices for handling personal data breaches, [[Article 70 GDPR|Article 70(1)(g)(h) GDPR]].<ref>See EDPB, Guidelines 01/2021 on Examples regarding Data Breach Notification, 14 January 2021 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf here]).</ref><br />
<br />
===(13) Genetic data===<br />
You can help us fill this section!<br />
===(14) Biometric data===<br />
You can help us fill this section!<br />
===(15) Data concerning health===<br />
You can help us fill this section!<br />
===(16) Main establishment===<br />
You can help us fill this section!<br />
===(17) Representative===<br />
You can help us fill this section!<br />
===(18) Enterprise===<br />
You can help us fill this section!<br />
===(19) Group of undertakings===<br />
You can help us fill this section!<br />
===(20) Binding corporate rules===<br />
You can help us fill this section!<br />
===(21) Supervisory authority===<br />
You can help us fill this section!<br />
===(22) Supervisory authority concerned===<br />
You can help us fill this section!<br />
===(23) Cross-border processing===<br />
You can help us fill this section!<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20029Article 4 GDPR2021-09-23T12:38:03Z<p>JS: Uploading Article 4(11) GDPR</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
* '''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).</ref><br />
* '''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
* '''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
* '''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
* '''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
* '''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
* '''Alteration''' (changes to the form or content of data), such as corrections, pseudonymization or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
* '''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
* '''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
* '''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
* '''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company. <br />
* '''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
* '''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
* '''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
* '''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
* '''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
* '''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
* '''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> <br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of Processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref><br />
<br />
Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.<ref>Recital 30 sentence 1 GDPR.</ref> as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore<br />
<br />
* Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref><br />
* Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref><br />
* Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref><br />
<br />
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR, such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref><br />
<br />
===(5) Pseudonymisation===<br />
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.<br />
<br />
Examples for the pseudonymisation of personal data include:<br />
<br />
* Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref><br />
* Encryption or hashing of data<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref><br />
* Pixelation of video materials<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref> <br />
<br />
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> And while some scholars argue for a ‘subjective anonymisation’,<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).</ref> the party undertaking the pseudonymisation is typically able to reassign the data subject.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).</ref><br />
<br />
In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref><br />
<br />
* Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]])<br />
* Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]])<br />
* Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]])<br />
* Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]])<br />
* Implementing Data Protection by Design and Default ([[Article 25 GDPR]])<br />
<br />
===(6) Filing System===<br />
The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]). It is complementing the approach of technological neutrality followed by the GDPR.<br />
<br />
A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> This is already satisfied, when personal data on a particular person is retrievable.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'', C-25/17, Johovan Todistajat, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref><br />
<br />
The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref><br />
<br />
Other examples are:<br />
<br />
* Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Saved letter-correspondence with customers<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Covid-19-Guest-Lists sorted by date<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref><br />
<br />
===(7) Controller===<br />
The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> In this regard, it the controller is to be distinguished from the processor, which is explained in further detail in Article 4(8) GDPR.<br />
<br />
The responsibilities of the controller are defined in [[Article 24 GDPR]]. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR.<br />
<br />
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co controllership’, the entities have to determine their respective responsibilities for the processing within an agreement, according to [[Article 26 GDPR]]. Important, however, is the factual influence on the processing of the personal data,<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> see also Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref><br />
<br />
For example, a joint controllership is assumed between<br />
<br />
* Search-Engines-Operators and the websites of which information is structured, presented and complemented with advertisements within search results<ref>''CJEU'', C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 here]), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.</ref><br />
* Facebook and Administrators of Fan Pages on its social network<ref>''CJEU'', C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available [https://curia.europa.eu/juris/liste.jsf?num=C-210/16 here]), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.</ref><br />
* Facebook and Websites that integrated a ‘Like Button’<ref>''CJEU'', C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-40/17 here]), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.</ref><br />
<br />
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller according to [[Article 26 GDPR]]. For further information see the commentary on that provision.<br />
<br />
===(8) Processor===<br />
The processor is the next entity facing obligations from several provisions across the GDPR, complementing the concept of the controller explained in Article 4(7) GDPR. Any natural, legal person, public authority, agency or body that processes personal data on behalf of the controller qualifies as a processor.<br />
<br />
The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref> Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref><br />
<br />
Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> developed some examples as references for controller-processor relationships:<br />
<br />
* Outsourcing of Callcenters for Customer Communications<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Outsourcing of Mail Services<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Cloud Hosting and Grid Computing<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]) and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).]</ref><br />
* A Separated Entitiy Specialized in Data Processing within a Group of Companies<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref><br />
<br />
When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of special relevance is [[Article 28 GDPR]], that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on [[Article 28 GDPR|Article 28(3) GDPR]].<br />
<br />
A special form of the processor is the ‘sub processor’ engaged by the processor, which requires another processing agreement and authorisation through the controller. For further information see the commentary on [[Article 28 GDPR|Article 28(2),(4) GDPR]].<br />
<br />
===(9) Recipient===<br />
Another entity defined in the GDPR is the recipient. The notion of the recipient is kept very broadly, i.e. any party which personal data is disclosed to, independently of whether it is a third party or not. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]).</ref><br />
<br />
The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,<ref>More precise, [[Article 13 GDPR|Article 13(1)(e) GDPR]], [[Article 14 GDPR|Article 14(1)(e) GDPR]], [[Article 15 GDPR|Article 15(1)(c) GDPR]].</ref> the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind is, that the controller whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).</ref><br />
<br />
In this regard, it is discussed, whether a processor is also a recipient. One the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.<ref>See Article 4(8) GDPR and Article 4(10) GDPR.</ref> However, the concept of the recipient is completely indepent of that of the third-party.<ref>See Article 4(9) GDPR, “whether a third party or not“.</ref> With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, [[Article 28 GDPR]] does not relieve the controller to inform the data subjects about its processors as recipients according to [[Article 13 GDPR|Article 13 to 15 GDPR]].<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).</ref><br />
<br />
Not considered a recipient are, on the other hand, particular units within a company, such as the staff council or dependent establishments of the controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).</ref> The wording of the provision suggests that the entity requires a particular degree of sovereignity in order to count as recipient.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 57 (C.H. Beck 2018) and ''Regenhardt'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 156 (Nomos 2018).</ref> Units that are inseperable part of the internal structure of the controller are therefore not to classify as recipients.<br />
<br />
Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref><br />
<br />
===(10) Third Party===<br />
The concept of a third party complements the previously defined entities. It constitutes a negative delimitation, as any person different from the data subject, controller, processor or any other person authorized to process personal data by the controller. Its notion becomes mainly relevant in terms of evaluating of interests, such as in Article 6 (1)(f) GDPR.<ref>See also [[Article 13 GDPR|Article 13(1)(d) GDPR]], [[Article 14 GDPR|Article 14(2)(b) GDPR]].</ref><br />
<br />
Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).</ref> Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).</ref> Similarly, internal staff of the controller is not a third party, unless the employee uses personal data for own purposes outside of the employment context.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).</ref> In this regard, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).</ref><br />
<br />
===(11) Consent===<br />
Consent is the first legal basis mentioned in Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data. It can be given either by a written, electronic or an oral statement.<ref>Recital 32 sentence 1 GDPR.</ref> Examples are ticking a box or actively choosing technical settings that indicate the data subject’s acceptance of the proposed processing of his or her personal data.<ref>Recital 32 sentence 2 GDPR.</ref><br />
<br />
The notion of consent within the GDPR is different from its constitutional equivalent in [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(2) ECFR]. Consent in the GDPR is neither a waiver of fundamental rights, nor a justification for interferences with fundamental rights.<ref>''Klement'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 7 GDPR, margin number 18 (NOMOS 2019).</ref> Rather, it should be seen as an exception from the general prohibition of processing of personal data under [[Article 6 GDPR|Article 6(1) GDPR]].<br />
<br />
To ensure that consent is not only a legal fiction, it requires additional and cumulative criteria, regulated within its definition and complemented through [[Article 7 GDPR]]. In order for consent to be valid, it has to be freely given, informed, specific and unambiguous. It is the controller’s duty to demonstrate that the data subject has given such consent to the processing of his or her personal data.<ref>[[Article 7 GDPR|Article 7(1) GDPR]], Recital 42 sentence 1 GDPR.</ref><br />
<br />
==== Freely Given ====<br />
Consent is only freely given, where there is no clear imbalance between the data subject and the controller.<ref>Recital 43 sentence 1 GDPR.</ref> Also, it shall not be considered freely given when it is conditional on the processing of personal data that is not necessary for the performance of the service.<ref>Recital 43 sentence 2 GDPR.</ref><br />
<br />
Examples where asymmetries of power and bundled consent usually occur are:<br />
<br />
* Relationships with Public Authorities<ref>Recital 43 sentence 1 GDPR, and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 98 (Carl Heymanns Verlag 2018).</ref><br />
* Employer-Employee-Relationships<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 71 (C.H. Beck 2018).</ref><br />
* Use of Major Digital Services with limited alternatives<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 73, 76 (C.H. Beck 2018).</ref><br />
<br />
==== Informed ====<br />
Consent needs to be provided in an intelligible and easily accessible form, using clear and plain language. Data Subjects must be able to understand the circumstances of processing of their personal data to estimate the consequences and implications of giving their consent.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin numbers 2, 5 (C.H. Beck 2020).</ref> According to recent case-law of the Court of Justice, the information shall also be “digested” by the data subject.<ref>EUCJ, C‑61/19, Orange România, 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/liste.jsf?num=C-61/19&language=en here]).</ref> This seems to give information a more substantive and functional role. Moreover, the information has to be presented in a manner which is clearly distinguishable from other matters, like terms and conditions. For more information, see the commentary on [[Article 7 GDPR|Article 7(2) GDPR]].<br />
<br />
==== Specific ====<br />
In accordance with the principle of transparency from [[Article 5 GDPR|Article 5(1)(b) GDPR]] consent must be provided for specific and legitimate purposes. While consent to the processing of personal data can be given for one or multiple purposes at the same time,<ref>Recital 32 sentences 5, 6 GDPR.</ref> intentions and limitations must be formulated as precisely as possible. A blanket consent to all kinds of purposes is therefore not valid. For more information, see the commentary on [[Article 6 GDPR|Article 6(1)(a) GDPR]].<br />
<br />
==== Unambiguous ====<br />
Consent must be given unambiguously in the form of clear and affirmative action. Silence, pre-ticked boxes or inactivity should not constitute consent.<ref>Recital 32 sentence 3 GDPR.</ref> This has been stressed through recent case law by the Court of Justice in terms of cookies, where a pre-checked checkbox which the user must deselect to refuse his or her consent cannot demonstrate active behaviour.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/1 here]).</ref><br />
<br />
==== Withdrawal ====<br />
Consent can be withdrawn at any time. Withdrawing of consent shall be as easy as it was giving it. The controller has to inform the data subject on the possibility to withdraw consent prior to the processing. For further information, see the commentary on [[Article 7 GDPR|Article 7(3) GDPR]].<br />
<br />
==== Capacity ====<br />
Generally, consent must be given directly by the data subject or a nominated representative.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).</ref> In the case of minors, the ability to consent is based on the individual cognitive faculty of the data subject.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin number 67 (C.H. Beck 2020); ''Ernst'', Die Einwilligung nach der Datenschutzgrundverordnung, in Zeitschrift für Datenschutz, 03/07, (2017), p. 111.</ref> In the online context, [[Article 8 GDPR|Article 8(1) GDPR]] provides a minimum age of 16, while member states may not reduce that age limit to below 13.<br />
<br />
==== Explicit Consent ====<br />
The more qualified form of ‘explicit’ consent is required within several other provisions across the GDPR. For more detailed information, check out the commentary on [[Article 9 GDPR|Article 9(2)(a) GDPR]], [[Article 22 GDPR|Article 22(2)(c) GDPR]] and [[Article 49 GDPR|Article 49(1) GDPR]].<br />
<br />
===(12) Personal data breach ===<br />
You can help us fill this section!<br />
===(13) Genetic data===<br />
You can help us fill this section!<br />
===(14) Biometric data===<br />
You can help us fill this section!<br />
===(15) Data concerning health===<br />
You can help us fill this section!<br />
===(16) Main establishment===<br />
You can help us fill this section!<br />
===(17) Representative===<br />
You can help us fill this section!<br />
===(18) Enterprise===<br />
You can help us fill this section!<br />
===(19) Group of undertakings===<br />
You can help us fill this section!<br />
===(20) Binding corporate rules===<br />
You can help us fill this section!<br />
===(21) Supervisory authority===<br />
You can help us fill this section!<br />
===(22) Supervisory authority concerned===<br />
You can help us fill this section!<br />
===(23) Cross-border processing===<br />
You can help us fill this section!<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20028Article 4 GDPR2021-09-23T12:20:54Z<p>JS: Uploading Article 4(10) GDPR</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
* '''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).</ref><br />
* '''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
* '''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
* '''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
* '''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
* '''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
* '''Alteration''' (changes to the form or content of data), such as corrections, pseudonymization or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
* '''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
* '''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
* '''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
* '''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company. <br />
* '''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
* '''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
* '''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
* '''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
* '''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
* '''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
* '''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> <br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of Processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref><br />
<br />
Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.<ref>Recital 30 sentence 1 GDPR.</ref> as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore<br />
<br />
* Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref><br />
* Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref><br />
* Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref><br />
<br />
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR, such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref><br />
<br />
===(5) Pseudonymisation===<br />
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.<br />
<br />
Examples for the pseudonymisation of personal data include:<br />
<br />
* Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref><br />
* Encryption or hashing of data<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref><br />
* Pixelation of video materials<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref> <br />
<br />
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> And while some scholars argue for a ‘subjective anonymisation’,<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).</ref> the party undertaking the pseudonymisation is typically able to reassign the data subject.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).</ref><br />
<br />
In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref><br />
<br />
* Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]])<br />
* Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]])<br />
* Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]])<br />
* Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]])<br />
* Implementing Data Protection by Design and Default ([[Article 25 GDPR]])<br />
<br />
===(6) Filing System===<br />
The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]). It is complementing the approach of technological neutrality followed by the GDPR.<br />
<br />
A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> This is already satisfied, when personal data on a particular person is retrievable.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'', C-25/17, Johovan Todistajat, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref><br />
<br />
The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref><br />
<br />
Other examples are:<br />
<br />
* Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Saved letter-correspondence with customers<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Covid-19-Guest-Lists sorted by date<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref><br />
<br />
===(7) Controller===<br />
The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> In this regard, it the controller is to be distinguished from the processor, which is explained in further detail in Article 4(8) GDPR.<br />
<br />
The responsibilities of the controller are defined in [[Article 24 GDPR]]. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR.<br />
<br />
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co controllership’, the entities have to determine their respective responsibilities for the processing within an agreement, according to [[Article 26 GDPR]]. Important, however, is the factual influence on the processing of the personal data,<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> see also Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref><br />
<br />
For example, a joint controllership is assumed between<br />
<br />
* Search-Engines-Operators and the websites of which information is structured, presented and complemented with advertisements within search results<ref>''CJEU'', C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 here]), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.</ref><br />
* Facebook and Administrators of Fan Pages on its social network<ref>''CJEU'', C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available [https://curia.europa.eu/juris/liste.jsf?num=C-210/16 here]), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.</ref><br />
* Facebook and Websites that integrated a ‘Like Button’<ref>''CJEU'', C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-40/17 here]), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.</ref><br />
<br />
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller according to [[Article 26 GDPR]]. For further information see the commentary on that provision.<br />
<br />
===(8) Processor===<br />
The processor is the next entity facing obligations from several provisions across the GDPR, complementing the concept of the controller explained in Article 4(7) GDPR. Any natural, legal person, public authority, agency or body that processes personal data on behalf of the controller qualifies as a processor.<br />
<br />
The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref> Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref><br />
<br />
Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> developed some examples as references for controller-processor relationships:<br />
<br />
* Outsourcing of Callcenters for Customer Communications<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Outsourcing of Mail Services<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Cloud Hosting and Grid Computing<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]) and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).]</ref><br />
* A Separated Entitiy Specialized in Data Processing within a Group of Companies<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref><br />
<br />
When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of special relevance is [[Article 28 GDPR]], that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on [[Article 28 GDPR|Article 28(3) GDPR]].<br />
<br />
A special form of the processor is the ‘sub processor’ engaged by the processor, which requires another processing agreement and authorisation through the controller. For further information see the commentary on [[Article 28 GDPR|Article 28(2),(4) GDPR]].<br />
<br />
===(9) Recipient===<br />
Another entity defined in the GDPR is the recipient. The notion of the recipient is kept very broadly, i.e. any party which personal data is disclosed to, independently of whether it is a third party or not. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]).</ref><br />
<br />
The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,<ref>More precise, [[Article 13 GDPR|Article 13(1)(e) GDPR]], [[Article 14 GDPR|Article 14(1)(e) GDPR]], [[Article 15 GDPR|Article 15(1)(c) GDPR]].</ref> the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind is, that the controller whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).</ref><br />
<br />
In this regard, it is discussed, whether a processor is also a recipient. One the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.<ref>See Article 4(8) GDPR and Article 4(10) GDPR.</ref> However, the concept of the recipient is completely indepent of that of the third-party.<ref>See Article 4(9) GDPR, “whether a third party or not“.</ref> With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, [[Article 28 GDPR]] does not relieve the controller to inform the data subjects about its processors as recipients according to [[Article 13 GDPR|Article 13 to 15 GDPR]].<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).</ref><br />
<br />
Not considered a recipient are, on the other hand, particular units within a company, such as the staff council or dependent establishments of the controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).</ref> The wording of the provision suggests that the entity requires a particular degree of sovereignity in order to count as recipient.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 57 (C.H. Beck 2018) and ''Regenhardt'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 156 (Nomos 2018).</ref> Units that are inseperable part of the internal structure of the controller are therefore not to classify as recipients.<br />
<br />
Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref><br />
<br />
===(10) Third Party===<br />
The concept of a third party complements the previously defined entities. It constitutes a negative delimitation, as any person different from the data subject, controller, processor or any other person authorized to process personal data by the controller. Its notion becomes mainly relevant in terms of evaluating of interests, such as in Article 6 (1)(f) GDPR.<ref>See also [[Article 13 GDPR|Article 13(1)(d) GDPR]], [[Article 14 GDPR|Article 14(2)(b) GDPR]].</ref><br />
<br />
Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).</ref> Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).</ref> Similarly, internal staff of the controller is not a third party, unless the employee uses personal data for own purposes outside of the employment context.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).</ref> In this regard, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).</ref><br />
<br />
===(11) Consent===<br />
You can help us fill this section!<br />
===(12) Personal data breach ===<br />
You can help us fill this section!<br />
===(13) Genetic data===<br />
You can help us fill this section!<br />
===(14) Biometric data===<br />
You can help us fill this section!<br />
===(15) Data concerning health===<br />
You can help us fill this section!<br />
===(16) Main establishment===<br />
You can help us fill this section!<br />
===(17) Representative===<br />
You can help us fill this section!<br />
===(18) Enterprise===<br />
You can help us fill this section!<br />
===(19) Group of undertakings===<br />
You can help us fill this section!<br />
===(20) Binding corporate rules===<br />
You can help us fill this section!<br />
===(21) Supervisory authority===<br />
You can help us fill this section!<br />
===(22) Supervisory authority concerned===<br />
You can help us fill this section!<br />
===(23) Cross-border processing===<br />
You can help us fill this section!<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20027Article 4 GDPR2021-09-23T12:14:29Z<p>JS: Uploading Article 4(9) GDPR</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
* '''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).</ref><br />
* '''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
* '''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
* '''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
* '''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
* '''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
* '''Alteration''' (changes to the form or content of data), such as corrections, pseudonymization or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
* '''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
* '''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
* '''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
* '''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company. <br />
* '''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
* '''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
* '''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
* '''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
* '''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
* '''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
* '''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> <br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref><br />
<br />
Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.<ref>Recital 30 sentence 1 GDPR.</ref> as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore<br />
<br />
* Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref><br />
* Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref><br />
* Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref><br />
<br />
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR, such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref><br />
<br />
===(5) Pseudonymisation===<br />
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.<br />
<br />
Examples for the pseudonymisation of personal data include:<br />
<br />
* Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref><br />
* Encryption or hashing of data<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref><br />
* Pixelation of video materials<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref> <br />
<br />
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> And while some scholars argue for a ‘subjective anonymisation’,<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).</ref> the party undertaking the pseudonymisation is typically able to reassign the data subject.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).</ref><br />
<br />
In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref><br />
<br />
* Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]])<br />
* Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]])<br />
* Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]])<br />
* Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]])<br />
* Implementing Data Protection by Design and Default ([[Article 25 GDPR]])<br />
<br />
===(6) Filing system===<br />
The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]). It is complementing the approach of technological neutrality followed by the GDPR.<br />
<br />
A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> This is already satisfied, when personal data on a particular person is retrievable.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'', C-25/17, Johovan Todistajat, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref><br />
<br />
The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref><br />
<br />
Other examples are:<br />
<br />
* Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Saved letter-correspondence with customers<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Covid-19-Guest-Lists sorted by date<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref><br />
<br />
===(7) Controller===<br />
The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> In this regard, it the controller is to be distinguished from the processor, which is explained in further detail in Article 4(8) GDPR.<br />
<br />
The responsibilities of the controller are defined in [[Article 24 GDPR]]. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR.<br />
<br />
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co controllership’, the entities have to determine their respective responsibilities for the processing within an agreement, according to [[Article 26 GDPR]]. Important, however, is the factual influence on the processing of the personal data,<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> see also Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref><br />
<br />
For example, a joint controllership is assumed between<br />
<br />
* Search-Engines-Operators and the websites of which information is structured, presented and complemented with advertisements within search results<ref>''CJEU'', C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 here]), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.</ref><br />
* Facebook and Administrators of Fan Pages on its social network<ref>''CJEU'', C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available [https://curia.europa.eu/juris/liste.jsf?num=C-210/16 here]), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.</ref><br />
* Facebook and Websites that integrated a ‘Like Button’<ref>''CJEU'', C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-40/17 here]), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.</ref><br />
<br />
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller according to [[Article 26 GDPR]]. For further information see the commentary on that provision.<br />
<br />
===(8) Processor===<br />
The processor is the next entity facing obligations from several provisions across the GDPR, complementing the concept of the controller explained in Article 4(7) GDPR. Any natural, legal person, public authority, agency or body that processes personal data on behalf of the controller qualifies as a processor.<br />
<br />
The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref> Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref><br />
<br />
Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> developed some examples as references for controller-processor relationships:<br />
<br />
* Outsourcing of Callcenters for Customer Communications<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Outsourcing of Mail Services<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Cloud Hosting and Grid Computing<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]) and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).]</ref><br />
* A Separated Entitiy Specialized in Data Processing within a Group of Companies<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref><br />
<br />
When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of special relevance is [[Article 28 GDPR]], that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on [[Article 28 GDPR|Article 28(3) GDPR]].<br />
<br />
A special form of the processor is the ‘sub processor’ engaged by the processor, which requires another processing agreement and authorisation through the controller. For further information see the commentary on [[Article 28 GDPR|Article 28(2),(4) GDPR]].<br />
<br />
===(9) Recipient===<br />
Another entity defined in the GDPR is the recipient. The notion of the recipient is kept very broadly, i.e. any party which personal data is disclosed to, independently of whether it is a third party or not. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]).</ref><br />
<br />
The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,<ref>More precise, [[Article 13 GDPR|Article 13(1)(e) GDPR]], [[Article 14 GDPR|Article 14(1)(e) GDPR]], [[Article 15 GDPR|Article 15(1)(c) GDPR]].</ref> the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind is, that the controller whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).</ref><br />
<br />
In this regard, it is discussed, whether a processor is also a recipient. One the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.<ref>See Article 4(8) GDPR and Article 4(10) GDPR.</ref> However, the concept of the recipient is completely indepent of that of the third-party.<ref>See Article 4(9) GDPR, “whether a third party or not“.</ref> With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, [[Article 28 GDPR]] does not relieve the controller to inform the data subjects about its processors as recipients according to [[Article 13 GDPR|Article 13 to 15 GDPR]].<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).</ref><br />
<br />
Not considered a recipient are, on the other hand, particular units within a company, such as the staff council or dependent establishments of the controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).</ref> The wording of the provision suggests that the entity requires a particular degree of sovereignity in order to count as recipient.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 57 (C.H. Beck 2018) and ''Regenhardt'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 156 (Nomos 2018).</ref> Units that are inseperable part of the internal structure of the controller are therefore not to classify as recipients.<br />
<br />
Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref><br />
<br />
===(10) Third party===<br />
You can help us fill this section!<br />
===(11) Consent===<br />
You can help us fill this section!<br />
===(12) Personal data breach ===<br />
You can help us fill this section!<br />
===(13) Genetic data===<br />
You can help us fill this section!<br />
===(14) Biometric data===<br />
You can help us fill this section!<br />
===(15) Data concerning health===<br />
You can help us fill this section!<br />
===(16) Main establishment===<br />
You can help us fill this section!<br />
===(17) Representative===<br />
You can help us fill this section!<br />
===(18) Enterprise===<br />
You can help us fill this section!<br />
===(19) Group of undertakings===<br />
You can help us fill this section!<br />
===(20) Binding corporate rules===<br />
You can help us fill this section!<br />
===(21) Supervisory authority===<br />
You can help us fill this section!<br />
===(22) Supervisory authority concerned===<br />
You can help us fill this section!<br />
===(23) Cross-border processing===<br />
You can help us fill this section!<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20026Article 4 GDPR2021-09-23T12:01:15Z<p>JS: Uploading Article 4(8) GDPR</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
* '''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020).][''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15f. (NOMOS 2019).</ref><br />
* '''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
* '''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
* '''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
* '''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
* '''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
* '''Alteration''' (changes to the form or content of data), such as corrections, pseudonymization or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
* '''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
* '''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
* '''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
* '''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company. <br />
* '''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
* '''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
* '''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
* '''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
* '''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
* '''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
* '''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> <br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref><br />
<br />
Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.<ref>Recital 30 sentence 1 GDPR.</ref> as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore<br />
<br />
* Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref><br />
* Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref><br />
* Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref><br />
<br />
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR, such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref><br />
<br />
===(5) Pseudonymisation===<br />
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.<br />
<br />
Examples for the pseudonymisation of personal data include:<br />
<br />
* Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref><br />
* Encryption or hashing of data<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref><br />
* Pixelation of video materials<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref> <br />
<br />
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> And while some scholars argue for a ‘subjective anonymisation’,<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).</ref> the party undertaking the pseudonymisation is typically able to reassign the data subject.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).</ref><br />
<br />
In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref><br />
<br />
* Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]])<br />
* Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]])<br />
* Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]])<br />
* Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]])<br />
* Implementing Data Protection by Design and Default ([[Article 25 GDPR]])<br />
<br />
===(6) Filing system===<br />
The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]). It is complementing the approach of technological neutrality followed by the GDPR.<br />
<br />
A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> This is already satisfied, when personal data on a particular person is retrievable.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'', C-25/17, Johovan Todistajat, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref><br />
<br />
The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref><br />
<br />
Other examples are:<br />
<br />
* Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Saved letter-correspondence with customers<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Covid-19-Guest-Lists sorted by date<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref><br />
<br />
===(7) Controller===<br />
The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p.13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> In this regard, it the controller is to be distinguished from the processor, which is explained in further detail in Article 4(8) GDPR.<br />
<br />
The responsibilities of the controller are defined in [[Article 24 GDPR]]. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR.<br />
<br />
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co controllership’, the entities have to determine their respective responsibilities for the processing within an agreement, according to [[Article 26 GDPR]]. Important, however, is the factual influence on the processing of the personal data,<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> see also Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref><br />
<br />
For example, a joint controllership is assumed between<br />
<br />
* Search-Engines-Operators and the websites of which information is structured, presented and complemented with advertisements within search results<ref>''CJEU'', C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 here]), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.</ref><br />
* Facebook and Administrators of Fan Pages on its social network<ref>''CJEU'', C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available [https://curia.europa.eu/juris/liste.jsf?num=C-210/16 here]), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.</ref><br />
* Facebook and Websites that integrated a ‘Like Button’<ref>''CJEU'', C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-40/17 here]), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.</ref><br />
<br />
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller according to [[Article 26 GDPR]]. For further information see the commentary on that provision.<br />
<br />
===(8) Processor===<br />
The processor is the next entity facing obligations from several provisions across the GDPR, complementing the concept of the controller explained in Article 4(7) GDPR. Any natural, legal person, public authority, agency or body that processes personal data on behalf of the controller qualifies as a processor.<br />
<br />
The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref> Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref><br />
<br />
Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> developed some examples as references for controller-processor relationships:<br />
<br />
* Outsourcing of Callcenters for Customer Communications<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p.28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Outsourcing of Mail Services<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p.25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref><br />
* Cloud Hosting and Grid Computing<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p.27 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]) and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).]</ref><br />
* A Separated Entitiy Specialized in Data Processing within a Group of Companies<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref><br />
<br />
When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of special relevance is [[Article 28 GDPR]], that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on [[Article 28 GDPR|Article 28(3) GDPR]].<br />
<br />
A special form of the processor is the ‘sub processor’ engaged by the processor, which requires another processing agreement and authorisation through the controller. For further information see the commentary on [[Article 28 GDPR|Article 28(2),(4) GDPR]].<br />
<br />
===(9) Recipient===<br />
You can help us fill this section!<br />
===(10) Third party===<br />
You can help us fill this section!<br />
===(11) Consent===<br />
You can help us fill this section!<br />
===(12) Personal data breach ===<br />
You can help us fill this section!<br />
===(13) Genetic data===<br />
You can help us fill this section!<br />
===(14) Biometric data===<br />
You can help us fill this section!<br />
===(15) Data concerning health===<br />
You can help us fill this section!<br />
===(16) Main establishment===<br />
You can help us fill this section!<br />
===(17) Representative===<br />
You can help us fill this section!<br />
===(18) Enterprise===<br />
You can help us fill this section!<br />
===(19) Group of undertakings===<br />
You can help us fill this section!<br />
===(20) Binding corporate rules===<br />
You can help us fill this section!<br />
===(21) Supervisory authority===<br />
You can help us fill this section!<br />
===(22) Supervisory authority concerned===<br />
You can help us fill this section!<br />
===(23) Cross-border processing===<br />
You can help us fill this section!<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20025Article 4 GDPR2021-09-23T11:54:33Z<p>JS: Uploading Article 4(7) GDPR</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
* '''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020).][''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15f. (NOMOS 2019).</ref><br />
* '''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
* '''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
* '''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
* '''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
* '''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
* '''Alteration''' (changes to the form or content of data), such as corrections, pseudonymization or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
* '''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
* '''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
* '''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
* '''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company. <br />
* '''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
* '''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
* '''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
* '''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
* '''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
* '''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
* '''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> <br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref><br />
<br />
Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.<ref>Recital 30 sentence 1 GDPR.</ref> as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore<br />
<br />
* Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref><br />
* Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref><br />
* Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref><br />
<br />
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR, such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref><br />
<br />
===(5) Pseudonymisation===<br />
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.<br />
<br />
Examples for the pseudonymisation of personal data include:<br />
<br />
* Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref><br />
* Encryption or hashing of data<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref><br />
* Pixelation of video materials<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref> <br />
<br />
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> And while some scholars argue for a ‘subjective anonymisation’,<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).</ref> the party undertaking the pseudonymisation is typically able to reassign the data subject.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).</ref><br />
<br />
In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref><br />
<br />
* Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]])<br />
* Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]])<br />
* Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]])<br />
* Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]])<br />
* Implementing Data Protection by Design and Default ([[Article 25 GDPR]])<br />
<br />
===(6) Filing system===<br />
The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]). It is complementing the approach of technological neutrality followed by the GDPR.<br />
<br />
A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> This is already satisfied, when personal data on a particular person is retrievable.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'', C-25/17, Johovan Todistajat, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref><br />
<br />
The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref><br />
<br />
Other examples are:<br />
<br />
* Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Saved letter-correspondence with customers<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Covid-19-Guest-Lists sorted by date<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref><br />
<br />
===(7) Controller===<br />
The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p.13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> In this regard, it the controller is to be distinguished from the processor, which is explained in further detail in Article 4(8) GDPR.<br />
<br />
The responsibilities of the controller are defined in [[Article 24 GDPR]]. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR.<br />
<br />
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co controllership’, the entities have to determine their respective responsibilities for the processing within an agreement, according to [[Article 26 GDPR]]. Important, however, is the factual influence on the processing of the personal data,<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> see also Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref><br />
<br />
For example, a joint controllership is assumed between<br />
<br />
* Search-Engines-Operators and the websites of which information is structured, presented and complemented with advertisements within search results<ref>''CJEU'', C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 here]), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.</ref><br />
* Facebook and Administrators of Fan Pages on its social network<ref>''CJEU'', C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available [https://curia.europa.eu/juris/liste.jsf?num=C-210/16 here]), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.</ref><br />
* Facebook and Websites that integrated a ‘Like Button’<ref>''CJEU'', C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-40/17 here]), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.</ref><br />
<br />
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller according to [[Article 26 GDPR]]. For further information see the commentary on that provision.<br />
<br />
===(8) Processor===<br />
You can help us fill this section!<br />
===(9) Recipient===<br />
You can help us fill this section!<br />
===(10) Third party===<br />
You can help us fill this section!<br />
===(11) Consent===<br />
You can help us fill this section!<br />
===(12) Personal data breach ===<br />
You can help us fill this section!<br />
===(13) Genetic data===<br />
You can help us fill this section!<br />
===(14) Biometric data===<br />
You can help us fill this section!<br />
===(15) Data concerning health===<br />
You can help us fill this section!<br />
===(16) Main establishment===<br />
You can help us fill this section!<br />
===(17) Representative===<br />
You can help us fill this section!<br />
===(18) Enterprise===<br />
You can help us fill this section!<br />
===(19) Group of undertakings===<br />
You can help us fill this section!<br />
===(20) Binding corporate rules===<br />
You can help us fill this section!<br />
===(21) Supervisory authority===<br />
You can help us fill this section!<br />
===(22) Supervisory authority concerned===<br />
You can help us fill this section!<br />
===(23) Cross-border processing===<br />
You can help us fill this section!<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20024Article 4 GDPR2021-09-23T11:43:05Z<p>JS: Uploading Article 4(6) GDPR</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
* '''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020).][''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15f. (NOMOS 2019).</ref><br />
* '''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
* '''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
* '''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
* '''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
* '''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
* '''Alteration''' (changes to the form or content of data), such as corrections, pseudonymization or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
* '''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
* '''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
* '''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
* '''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company. <br />
* '''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
* '''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
* '''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
* '''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
* '''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
* '''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
* '''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> <br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref><br />
<br />
Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.<ref>Recital 30 sentence 1 GDPR.</ref> as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore<br />
<br />
* Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref><br />
* Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref><br />
* Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref><br />
<br />
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR, such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref><br />
<br />
===(5) Pseudonymisation===<br />
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.<br />
<br />
Examples for the pseudonymisation of personal data include:<br />
<br />
* Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref><br />
* Encryption or hashing of data<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref><br />
* Pixelation of video materials<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref> <br />
<br />
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> And while some scholars argue for a ‘subjective anonymisation’,<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).</ref> the party undertaking the pseudonymisation is typically able to reassign the data subject.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).</ref><br />
<br />
In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref><br />
<br />
* Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]])<br />
* Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]])<br />
* Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]])<br />
* Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]])<br />
* Implementing Data Protection by Design and Default ([[Article 25 GDPR]])<br />
<br />
===(6) Filing system===<br />
The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]). It is complementing the approach of technological neutrality followed by the GDPR.<br />
<br />
A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> This is already satisfied, when personal data on a particular person is retrievable.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'' Johovan Todistajat, C-25/17, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref><br />
<br />
The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref><br />
<br />
Other examples are:<br />
<br />
* Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Saved letter-correspondence with customers<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref><br />
* Covid-19-Guest-Lists sorted by date<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref><br />
<br />
===(7) Controller===<br />
You can help us fill this section!<br />
<br />
===(8) Processor===<br />
You can help us fill this section!<br />
===(9) Recipient===<br />
You can help us fill this section!<br />
===(10) Third party===<br />
You can help us fill this section!<br />
===(11) Consent===<br />
You can help us fill this section!<br />
===(12) Personal data breach ===<br />
You can help us fill this section!<br />
===(13) Genetic data===<br />
You can help us fill this section!<br />
===(14) Biometric data===<br />
You can help us fill this section!<br />
===(15) Data concerning health===<br />
You can help us fill this section!<br />
===(16) Main establishment===<br />
You can help us fill this section!<br />
===(17) Representative===<br />
You can help us fill this section!<br />
===(18) Enterprise===<br />
You can help us fill this section!<br />
===(19) Group of undertakings===<br />
You can help us fill this section!<br />
===(20) Binding corporate rules===<br />
You can help us fill this section!<br />
===(21) Supervisory authority===<br />
You can help us fill this section!<br />
===(22) Supervisory authority concerned===<br />
You can help us fill this section!<br />
===(23) Cross-border processing===<br />
You can help us fill this section!<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20023Article 4 GDPR2021-09-23T11:38:45Z<p>JS: Uploading Article 4(5) GDPR</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
* '''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020).][''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15f. (NOMOS 2019).</ref><br />
* '''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
* '''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
* '''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
* '''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
* '''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
* '''Alteration''' (changes to the form or content of data), such as corrections, pseudonymization or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
* '''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
* '''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
* '''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
* '''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company. <br />
* '''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
* '''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
* '''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
* '''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
* '''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
* '''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
* '''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> <br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref><br />
<br />
Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.<ref>Recital 30 sentence 1 GDPR.</ref> as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore<br />
<br />
* Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref><br />
* Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref><br />
* Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref><br />
<br />
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR, such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref><br />
<br />
===(5) Pseudonymisation===<br />
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.<br />
<br />
Examples for the pseudonymisation of personal data include:<br />
<br />
* Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref><br />
* Encryption or hashing of data<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref><br />
* Pixelation of video materials<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref> <br />
<br />
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> And while some scholars argue for a ‘subjective anonymisation’,<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).</ref> the party undertaking the pseudonymisation is typically able to reassign the data subject.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).</ref><br />
<br />
In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref><br />
<br />
* Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]])<br />
* Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]])<br />
* Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]])<br />
* Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]])<br />
* Implementing Data Protection by Design and Default ([[Article 25 GDPR]])<br />
<br />
===(6) Filing system===<br />
You can help us fill this section!<br />
===(7) Controller===<br />
You can help us fill this section!<br />
<br />
===(8) Processor===<br />
You can help us fill this section!<br />
===(9) Recipient===<br />
You can help us fill this section!<br />
===(10) Third party===<br />
You can help us fill this section!<br />
===(11) Consent===<br />
You can help us fill this section!<br />
===(12) Personal data breach ===<br />
You can help us fill this section!<br />
===(13) Genetic data===<br />
You can help us fill this section!<br />
===(14) Biometric data===<br />
You can help us fill this section!<br />
===(15) Data concerning health===<br />
You can help us fill this section!<br />
===(16) Main establishment===<br />
You can help us fill this section!<br />
===(17) Representative===<br />
You can help us fill this section!<br />
===(18) Enterprise===<br />
You can help us fill this section!<br />
===(19) Group of undertakings===<br />
You can help us fill this section!<br />
===(20) Binding corporate rules===<br />
You can help us fill this section!<br />
===(21) Supervisory authority===<br />
You can help us fill this section!<br />
===(22) Supervisory authority concerned===<br />
You can help us fill this section!<br />
===(23) Cross-border processing===<br />
You can help us fill this section!<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20022Article 4 GDPR2021-09-23T11:31:23Z<p>JS: Uploading Article 4(4) GDPR</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
* '''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020).][''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15f. (NOMOS 2019).</ref><br />
* '''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
* '''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
* '''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
* '''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
* '''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
* '''Alteration''' (changes to the form or content of data), such as corrections, pseudonymization or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
* '''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
* '''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
* '''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
* '''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company. <br />
* '''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
* '''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
* '''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
* '''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
* '''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
* '''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
* '''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> <br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref><br />
<br />
Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.[Recital 30 sentence 1 GDPR.] as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref><br />
<br />
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore<br />
<br />
* Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref><br />
* Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref><br />
* Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref><br />
<br />
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR, such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref><br />
<br />
===(5) Pseudonymisation===<br />
You can help us fill this section!<br />
===(6) Filing system===<br />
You can help us fill this section!<br />
===(7) Controller===<br />
You can help us fill this section!<br />
<br />
===(8) Processor===<br />
You can help us fill this section!<br />
===(9) Recipient===<br />
You can help us fill this section!<br />
===(10) Third party===<br />
You can help us fill this section!<br />
===(11) Consent===<br />
You can help us fill this section!<br />
===(12) Personal data breach ===<br />
You can help us fill this section!<br />
===(13) Genetic data===<br />
You can help us fill this section!<br />
===(14) Biometric data===<br />
You can help us fill this section!<br />
===(15) Data concerning health===<br />
You can help us fill this section!<br />
===(16) Main establishment===<br />
You can help us fill this section!<br />
===(17) Representative===<br />
You can help us fill this section!<br />
===(18) Enterprise===<br />
You can help us fill this section!<br />
===(19) Group of undertakings===<br />
You can help us fill this section!<br />
===(20) Binding corporate rules===<br />
You can help us fill this section!<br />
===(21) Supervisory authority===<br />
You can help us fill this section!<br />
===(22) Supervisory authority concerned===<br />
You can help us fill this section!<br />
===(23) Cross-border processing===<br />
You can help us fill this section!<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20021Article 4 GDPR2021-09-23T11:18:14Z<p>JS: Uploading Article 4(3) GDPR</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similiarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, availaible sources, costs, time and effort required to perform the identification. In the case of collecting IP-adresses from visitors of governmental websites, for example, each adress relates to an identifiable person given the state’s legal power to access additional information required to link the IP-adress to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fngerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
* '''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020).][''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15f. (NOMOS 2019).</ref><br />
* '''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
* '''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
* '''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
* '''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
* '''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
* '''Alteration''' (changes to the form or content of data), such as corrections, pseudonymization or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
* '''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
* '''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
* '''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
* '''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company. <br />
* '''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
* '''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
* '''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
* '''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
* '''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
* '''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
* '''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> <br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of processing===<br />
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref><br />
<br />
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].<br />
<br />
The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<br />
<br />
===(4) Profiling===<br />
You can help us fill this section!<br />
===(5) Pseudonymisation===<br />
You can help us fill this section!<br />
===(6) Filing system===<br />
You can help us fill this section!<br />
===(7) Controller===<br />
You can help us fill this section!<br />
<br />
===(8) Processor===<br />
You can help us fill this section!<br />
===(9) Recipient===<br />
You can help us fill this section!<br />
===(10) Third party===<br />
You can help us fill this section!<br />
===(11) Consent===<br />
You can help us fill this section!<br />
===(12) Personal data breach ===<br />
You can help us fill this section!<br />
===(13) Genetic data===<br />
You can help us fill this section!<br />
===(14) Biometric data===<br />
You can help us fill this section!<br />
===(15) Data concerning health===<br />
You can help us fill this section!<br />
===(16) Main establishment===<br />
You can help us fill this section!<br />
===(17) Representative===<br />
You can help us fill this section!<br />
===(18) Enterprise===<br />
You can help us fill this section!<br />
===(19) Group of undertakings===<br />
You can help us fill this section!<br />
===(20) Binding corporate rules===<br />
You can help us fill this section!<br />
===(21) Supervisory authority===<br />
You can help us fill this section!<br />
===(22) Supervisory authority concerned===<br />
You can help us fill this section!<br />
===(23) Cross-border processing===<br />
You can help us fill this section!<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20020Article 4 GDPR2021-09-23T11:11:40Z<p>JS: </p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similiarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, availaible sources, costs, time and effort required to perform the identification. In the case of collecting IP-adresses from visitors of governmental websites, for example, each adress relates to an identifiable person given the state’s legal power to access additional information required to link the IP-adress to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fngerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations typically forming processing:<br />
<br />
* '''Collection''' (targeted procurement of single pieces of data), such as offering registration or contact forms.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020).][''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15f. (NOMOS 2019).</ref><br />
* '''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
* '''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
* '''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
* '''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
* '''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
* '''Alteration''' (changes to the form or content of data), such as corrections, pseudonymization or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
* '''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref><br />
* '''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref><br />
* '''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
* '''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company. <br />
* '''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
* '''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref><br />
* '''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
* '''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref><br />
* '''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref><br />
* '''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref><br />
* '''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> <br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of processing===<br />
You can help us fill this section!<br />
===(4) Profiling===<br />
You can help us fill this section!<br />
===(5) Pseudonymisation===<br />
You can help us fill this section!<br />
===(6) Filing system===<br />
You can help us fill this section!<br />
===(7) Controller===<br />
You can help us fill this section!<br />
<br />
===(8) Processor===<br />
You can help us fill this section!<br />
===(9) Recipient===<br />
You can help us fill this section!<br />
===(10) Third party===<br />
You can help us fill this section!<br />
===(11) Consent===<br />
You can help us fill this section!<br />
===(12) Personal data breach ===<br />
You can help us fill this section!<br />
===(13) Genetic data===<br />
You can help us fill this section!<br />
===(14) Biometric data===<br />
You can help us fill this section!<br />
===(15) Data concerning health===<br />
You can help us fill this section!<br />
===(16) Main establishment===<br />
You can help us fill this section!<br />
===(17) Representative===<br />
You can help us fill this section!<br />
===(18) Enterprise===<br />
You can help us fill this section!<br />
===(19) Group of undertakings===<br />
You can help us fill this section!<br />
===(20) Binding corporate rules===<br />
You can help us fill this section!<br />
===(21) Supervisory authority===<br />
You can help us fill this section!<br />
===(22) Supervisory authority concerned===<br />
You can help us fill this section!<br />
===(23) Cross-border processing===<br />
You can help us fill this section!<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20019Article 4 GDPR2021-09-23T10:16:45Z<p>JS: Uploading Article 4(2) GDPR</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similiarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, availaible sources, costs, time and effort required to perform the identification. In the case of collecting IP-adresses from visitors of governmental websites, for example, each adress relates to an identifiable person given the state’s legal power to access additional information required to link the IP-adress to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fngerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
Processing is another central requirement for the application of the GDPR. To be considered as processing in this regard, the operation in question has to be related to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations, that are summarized as processing. These can be carried out by full-, semi and non-automated means. Processing therefore does not necessarily imply the use of electronic means but can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><br />
<br />
The notion of processing is kept intentionally broad and legally implemented through a non-exhaustive enumeration of several operations that characterize themselves as processing.<br />
<br />
- '''Collection''' (targeted procurement of single pieces of data), such as, offering registration or contact forms<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020).][''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15f. (NOMOS 2019).</ref><br />
<br />
- '''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors.<br />
<br />
- '''Organisation''' (systematic ordering that enhance access and evaluation of information), such as systematic allocations of information within databases.<br />
<br />
- '''Structuring''' (ordering data according to certain criteria), such as numerically or alphabetically ordering of information.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref><br />
<br />
- '''Storage''' (saving information to a physical and readable format), such as retaining information on paper, files, disks, drives or (cloud) servers.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref><br />
<br />
- '''Adaptation''' (adjustments to the content of information according to specific criteria), such as updating to information on age, address or income.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref><br />
<br />
- '''Alteration''' (changes to the form or content of data), such as corrections, pseudonymization or anonymization.<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref><br />
<br />
- '''Retrieval''' (accessing stored information), such as loading information to be displayed on a device.<ref>[''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).]</ref><br />
<br />
- '''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data.<ref>[''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).]</ref><br />
<br />
- '''Use''' (catching term for all active operations conducted on personal data), such as utilizing addresses to deliver orders, mail address to deliver messages.<ref>Reimer, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref><br />
<br />
- '''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer or visitor information with another company. <br />
<br />
- '''Disclosure by dissemination''' (untargeted distribution of information to an unlimited amount of recipients), such as newspapers articles, broadcasting on radio or TV.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref><br />
<br />
- '''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on a website or through search engines<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref> <br />
<br />
- '''Alignment''' (comparison of information with other, specific requirements), such as grid investigations (also ‘dragnet’ actions).<br />
<br />
- '''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR).<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref> <br />
<br />
- '''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation or inaccessibility of information on a website.<ref>Recital 67 GDPR.</ref> <br />
<br />
- '''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020).] [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref> <br />
<br />
- '''Destruction''' (physically destroying the data carrier), such as shredding of files.<ref>Reimer, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> <br />
<br />
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref><br />
<br />
===(3) Restriction of processing===<br />
You can help us fill this section!<br />
===(4) Profiling===<br />
You can help us fill this section!<br />
===(5) Pseudonymisation===<br />
You can help us fill this section!<br />
===(6) Filing system===<br />
You can help us fill this section!<br />
===(7) Controller===<br />
You can help us fill this section!<br />
<br />
===(8) Processor===<br />
You can help us fill this section!<br />
===(9) Recipient===<br />
You can help us fill this section!<br />
===(10) Third party===<br />
You can help us fill this section!<br />
===(11) Consent===<br />
You can help us fill this section!<br />
===(12) Personal data breach ===<br />
You can help us fill this section!<br />
===(13) Genetic data===<br />
You can help us fill this section!<br />
===(14) Biometric data===<br />
You can help us fill this section!<br />
===(15) Data concerning health===<br />
You can help us fill this section!<br />
===(16) Main establishment===<br />
You can help us fill this section!<br />
===(17) Representative===<br />
You can help us fill this section!<br />
===(18) Enterprise===<br />
You can help us fill this section!<br />
===(19) Group of undertakings===<br />
You can help us fill this section!<br />
===(20) Binding corporate rules===<br />
You can help us fill this section!<br />
===(21) Supervisory authority===<br />
You can help us fill this section!<br />
===(22) Supervisory authority concerned===<br />
You can help us fill this section!<br />
===(23) Cross-border processing===<br />
You can help us fill this section!<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20018Article 4 GDPR2021-09-23T09:56:56Z<p>JS: /* Further Examples for Personal Data subject to the CJEU */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similiarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, availaible sources, costs, time and effort required to perform the identification. In the case of collecting IP-adresses from visitors of governmental websites, for example, each adress relates to an identifiable person given the state’s legal power to access additional information required to link the IP-adress to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
==== Further Examples for Personal Data subject to the CJEU ====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fngerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
You can help us fill this section!<br />
===(3) Restriction of processing===<br />
You can help us fill this section!<br />
===(4) Profiling===<br />
You can help us fill this section!<br />
===(5) Pseudonymisation===<br />
You can help us fill this section!<br />
===(6) Filing system===<br />
You can help us fill this section!<br />
===(7) Controller===<br />
You can help us fill this section!<br />
<br />
===(8) Processor===<br />
You can help us fill this section!<br />
===(9) Recipient===<br />
You can help us fill this section!<br />
===(10) Third party===<br />
You can help us fill this section!<br />
===(11) Consent===<br />
You can help us fill this section!<br />
===(12) Personal data breach ===<br />
You can help us fill this section!<br />
===(13) Genetic data===<br />
You can help us fill this section!<br />
===(14) Biometric data===<br />
You can help us fill this section!<br />
===(15) Data concerning health===<br />
You can help us fill this section!<br />
===(16) Main establishment===<br />
You can help us fill this section!<br />
===(17) Representative===<br />
You can help us fill this section!<br />
===(18) Enterprise===<br />
You can help us fill this section!<br />
===(19) Group of undertakings===<br />
You can help us fill this section!<br />
===(20) Binding corporate rules===<br />
You can help us fill this section!<br />
===(21) Supervisory authority===<br />
You can help us fill this section!<br />
===(22) Supervisory authority concerned===<br />
You can help us fill this section!<br />
===(23) Cross-border processing===<br />
You can help us fill this section!<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20017Article 4 GDPR2021-09-23T09:56:17Z<p>JS: Updating Article 4(1) GDPR</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref><br />
<br />
The content of the information is "relating to" a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual, is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similiarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it relates to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><br />
<br />
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation).<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Identified or Identifiable====<br />
The person to which the information relates must also be identified or identifiable. <br />
<br />
A person is “identified” where it can be distinguished or “singled out” from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several “identifiers” listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the WP29, naming telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Therefore, the name of a person is not necessarily required to identify an individual, given the previously mentioned, often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. Additionally, Recital 26 sentence 4 GDPR states that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''”<br />
<br />
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, availaible sources, costs, time and effort required to perform the identification. In the case of collecting IP-adresses from visitors of governmental websites, for example, each adress relates to an identifiable person given the state’s legal power to access additional information required to link the IP-adress to the respective visitors.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref><br />
<br />
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.<br />
<br />
====Natural person====<br />
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><br />
<br />
Starting from this definition, national legislators usually set it from the moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Therefore, information relating to dead persons is not considered as personal data according to the GDPR<ref>See Recital 27 sentence 1 GDPR.</ref>. However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<br />
<br />
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref><br />
<br />
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><br />
<br />
===='''Further Examples for Personal Data subject to the CJEU'''====<br />
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*Data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref><br />
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*Fngerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
You can help us fill this section!<br />
===(3) Restriction of processing===<br />
You can help us fill this section!<br />
===(4) Profiling===<br />
You can help us fill this section!<br />
===(5) Pseudonymisation===<br />
You can help us fill this section!<br />
===(6) Filing system===<br />
You can help us fill this section!<br />
===(7) Controller===<br />
You can help us fill this section!<br />
<br />
===(8) Processor===<br />
You can help us fill this section!<br />
===(9) Recipient===<br />
You can help us fill this section!<br />
===(10) Third party===<br />
You can help us fill this section!<br />
===(11) Consent===<br />
You can help us fill this section!<br />
===(12) Personal data breach ===<br />
You can help us fill this section!<br />
===(13) Genetic data===<br />
You can help us fill this section!<br />
===(14) Biometric data===<br />
You can help us fill this section!<br />
===(15) Data concerning health===<br />
You can help us fill this section!<br />
===(16) Main establishment===<br />
You can help us fill this section!<br />
===(17) Representative===<br />
You can help us fill this section!<br />
===(18) Enterprise===<br />
You can help us fill this section!<br />
===(19) Group of undertakings===<br />
You can help us fill this section!<br />
===(20) Binding corporate rules===<br />
You can help us fill this section!<br />
===(21) Supervisory authority===<br />
You can help us fill this section!<br />
===(22) Supervisory authority concerned===<br />
You can help us fill this section!<br />
===(23) Cross-border processing===<br />
You can help us fill this section!<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20016Article 4 GDPR2021-09-23T09:20:41Z<p>JS: </p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
You can help us fill this section!<br />
<br />
====Identified or Identifiable====<br />
You can help us fill this section!<br />
<br />
====Individual====<br />
You can help us fill this section!<br />
<br />
====Decided Examples====<br />
*name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*data, which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*the times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
<br />
*dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
You can help us fill this section!<br />
===(3) Restriction of processing===<br />
You can help us fill this section!<br />
===(4) Profiling===<br />
You can help us fill this section!<br />
===(5) Pseudonymisation===<br />
You can help us fill this section!<br />
===(6) Filing system===<br />
You can help us fill this section!<br />
===(7) Controller===<br />
You can help us fill this section!<br />
<br />
===(8) Processor===<br />
You can help us fill this section!<br />
===(9) Recipient===<br />
You can help us fill this section!<br />
===(10) Third party===<br />
You can help us fill this section!<br />
===(11) Consent===<br />
You can help us fill this section!<br />
===(12) Personal data breach ===<br />
You can help us fill this section!<br />
===(13) Genetic data===<br />
You can help us fill this section!<br />
===(14) Biometric data===<br />
You can help us fill this section!<br />
===(15) Data concerning health===<br />
You can help us fill this section!<br />
===(16) Main establishment===<br />
You can help us fill this section!<br />
===(17) Representative===<br />
You can help us fill this section!<br />
===(18) Enterprise===<br />
You can help us fill this section!<br />
===(19) Group of undertakings===<br />
You can help us fill this section!<br />
===(20) Binding corporate rules===<br />
You can help us fill this section!<br />
===(21) Supervisory authority===<br />
You can help us fill this section!<br />
===(22) Supervisory authority concerned===<br />
You can help us fill this section!<br />
===(23) Cross-border processing===<br />
You can help us fill this section!<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20015Article 4 GDPR2021-09-23T08:46:43Z<p>JS: </p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
You can help us fill this section!<br />
<br />
====Identified or Identifiable====<br />
You can help us fill this section!<br />
<br />
====Individual====<br />
You can help us fill this section!<br />
<br />
====Decided Examples====<br />
*name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*data, which relate both to the monies paid by certain bodies and the recipients<ref>Judgment of the Court, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*the times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
<br />
*dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
You can help us fill this section!<br />
===(3) Restriction of processing===<br />
You can help us fill this section!<br />
===(4) Profiling===<br />
You can help us fill this section!<br />
===(5) Pseudonymisation===<br />
You can help us fill this section!<br />
===(6) Filing system===<br />
You can help us fill this section!<br />
===(7) Controller===<br />
You can help us fill this section!<br />
<br />
===(8) Processor===<br />
You can help us fill this section!<br />
===(9) Recipient===<br />
You can help us fill this section!<br />
===(10) Third party===<br />
You can help us fill this section!<br />
===(11) Consent===<br />
You can help us fill this section!<br />
===(12) Personal data breach ===<br />
You can help us fill this section!<br />
===(13) Genetic data===<br />
You can help us fill this section!<br />
===(14) Biometric data===<br />
You can help us fill this section!<br />
===(15) Data concerning health===<br />
You can help us fill this section!<br />
===(16) Main establishment===<br />
You can help us fill this section!<br />
===(17) Representative===<br />
You can help us fill this section!<br />
===(18) Enterprise===<br />
You can help us fill this section!<br />
===(19) Group of undertakings===<br />
You can help us fill this section!<br />
===(20) Binding corporate rules===<br />
You can help us fill this section!<br />
===(21) Supervisory authority===<br />
You can help us fill this section!<br />
===(22) Supervisory authority concerned===<br />
You can help us fill this section!<br />
===(23) Cross-border processing===<br />
You can help us fill this section!<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JShttps://gdprhub.eu/index.php?title=Article_4_GDPR&diff=20014Article 4 GDPR2021-09-23T08:44:43Z<p>JS: </p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 3 GDPR|←]] Article 4: Definitions [[Article 5 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 4 - Definitions'''</center><br /><br />
<br />
For the purposes of this Regulation:<br />
<br />
<span id="1">1. ‘'''personal data'''’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</span><br />
<br />
<span id="2">2. ‘'''processing'''’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;</span><br />
<br />
<span id="3">3. ‘'''restriction of processing'''’ means the marking of stored personal data with the aim of limiting their processing in the future;</span><br />
<br />
<span id="4">4. ‘'''profiling'''’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;</span><br />
<br />
<span id="5">5. ‘'''pseudonymisation'''’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;</span><br />
<br />
<span id="6">6. ‘'''filing system'''’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;</span><br />
<br />
<span id="7">7. ‘'''controller'''’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;</span><br />
<br />
<span id="8">8. ‘'''processor'''’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;</span><br />
<br />
<span id="9">9. ‘'''recipient'''’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</span><br />
<br />
<span id="10">10. ‘'''third party'''’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;</span><br />
<br />
<span id="11">11. ‘'''consent'''’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;</span><br />
<br />
<span id="12">12. ‘'''personal data breach'''’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;</span><br />
<br />
<span id="13">13. ‘'''genetic data'''’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;</span><br />
<br />
<span id="14">14. ‘'''biometric data'''’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;</span><br />
<br />
<span id="15">15. ‘'''data concerning health'''’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;</span><br />
<br />
<span id="16">16. ‘'''main establishment'''’ means:</span><br />
<br />
::<span id="16a">(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;</span><br />
::<span id="16b">(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;</span><br />
<br />
<span id="17">17. ‘'''representative'''’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to [[Article 27 GDPR|Article 27]], represents the controller or processor with regard to their respective obligations under this Regulation;</span><br />
<br />
<span id="18">18. ‘'''enterprise'''’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;</span><br />
<br />
<span id="19">19. ‘'''group of undertakings'''’ means a controlling undertaking and its controlled undertakings;</span><br />
<br />
<span id="20">20. ‘'''binding corporate rules'''’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;</span><br />
<br />
<span id="21">21. ‘'''supervisory authority'''’ means an independent public authority which is established by a Member State pursuant to [[Article 51 GDPR|Article 51]];</span><br />
<br />
<span id="22">22. ‘'''supervisory authority concerned'''’ means a supervisory authority which is concerned by the processing of personal data because:</span><br />
<br />
::<span id="22a">(a) the controller or processor is established on the territory of the Member State of that supervisory authority;</span><br />
<br />
::<span id="22b">(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or</span><br />
<br />
::<span id="22c">(c) a complaint has been lodged with that supervisory authority;</span><br />
<br />
<span id="23">23. ‘'''cross-border processing'''’ means either:</span><br />
<br />
::<span id="23a">(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or</span><br />
<br />
::<span id="23b">(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.</span><br />
<br />
<span id="24">24. ‘'''relevant and reasoned objection'''’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;</span><br />
<br />
<span id="25">25. ‘'''information society service'''’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;</span> <br />
<br />
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span><br />
<br />
==Relevant Recitals==<br />
===Personal Data===<br />
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}}<br />
<br />
==Commentary==<br />
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. <br />
<br />
In the case of new definitions, on the other hand, there is scope for new interpretations. <br />
<br />
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. <br />
<br />
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation, other language versions may be consulted to identify and resolve discrepancies. <br />
<br />
===(1) Personal Data===<br />
The principal concept of the GDPR is that of ‘personal data’.<ref>European Commission, [https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en What is personal data?] (accessed on 08.09.2021); its antonym is defined in [https://eur-lex.europa.eu/eli/reg/2018/1807/oj Article 3(1) of Regulation (EU) 2018/1807].</ref><br />
<br />
Its definition is an extension of the previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.<br />
<br />
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.<br />
====Any Information====<br />
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.<br />
<br />
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).<br />
</ref> This position was recently also supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also the European Court of Human Rights stated that:<br />
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref><br />
<br />
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref><br />
<br />
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>, telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><br />
<br />
====Relating to====<br />
You can help us fill this section!<br />
<br />
====Identified or Identifiable====<br />
You can help us fill this section!<br />
<br />
====Individual====<br />
You can help us fill this section!<br />
<br />
====Decided Examples====<br />
*name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref><br />
*place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref><br />
*municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref><br />
<br />
*data, which relate both to the monies paid by certain bodies and the recipients<ref>Judgment of the Court, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref><br />
<br />
*name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref><br />
<br />
*the times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref><br />
<br />
*dynamic IP address<ref>CJEU, C-582/14, Breyer 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref><br />
*written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref><br />
*fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref><br />
<br />
===(2) Processing===<br />
You can help us fill this section!<br />
===(3) Restriction of processing===<br />
You can help us fill this section!<br />
===(4) Profiling===<br />
You can help us fill this section!<br />
===(5) Pseudonymisation===<br />
You can help us fill this section!<br />
===(6) Filing system===<br />
You can help us fill this section!<br />
===(7) Controller===<br />
You can help us fill this section!<br />
<br />
===(8) Processor===<br />
You can help us fill this section!<br />
===(9) Recipient===<br />
You can help us fill this section!<br />
===(10) Third party===<br />
You can help us fill this section!<br />
===(11) Consent===<br />
You can help us fill this section!<br />
===(12) Personal data breach ===<br />
You can help us fill this section!<br />
===(13) Genetic data===<br />
You can help us fill this section!<br />
===(14) Biometric data===<br />
You can help us fill this section!<br />
===(15) Data concerning health===<br />
You can help us fill this section!<br />
===(16) Main establishment===<br />
You can help us fill this section!<br />
===(17) Representative===<br />
You can help us fill this section!<br />
===(18) Enterprise===<br />
You can help us fill this section!<br />
===(19) Group of undertakings===<br />
You can help us fill this section!<br />
===(20) Binding corporate rules===<br />
You can help us fill this section!<br />
===(21) Supervisory authority===<br />
You can help us fill this section!<br />
===(22) Supervisory authority concerned===<br />
You can help us fill this section!<br />
===(23) Cross-border processing===<br />
You can help us fill this section!<br />
===(24) Relevant and reasoned objection===<br />
You can help us fill this section!<br />
===(25) Information society service ===<br />
You can help us fill this section!<br />
<br />
===(26) International organisation===<br />
You can help us fill this section!<br />
<br />
=== Other Definitions ===<br />
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The Regulation contains other articles, that directly or indirectly delivering definitions, such as: <br />
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,<br />
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,<br />
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,<br />
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,<br />
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,<br />
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,<br />
*[[Article 8 GDPR]]: ‘child’,<br />
*[[Article 9 GDPR]]: ‘special categories of personal data’,<br />
*[[Article 51 GDPR]]: ‘supervisory authority’,<br />
*[[Article 68 GDPR]]: ‘European Data Protection Board’.<br />
For further information please see the commentary on the respective Articles.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 4 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>JS