https://gdprhub.eu/api.php?hidebots=1&urlversion=1&days=7&limit=50&target=Article_18_GDPR&action=feedrecentchanges&feedformat=atomGDPRhub - Changes related to "Article 18 GDPR" [en]2024-03-19T03:36:18ZRelated changesMediaWiki 1.39.6https://gdprhub.eu/index.php?title=Article_60_GDPR&diff=40411&oldid=39171Article 60 GDPR2024-03-18T16:04:31Z<p><span dir="auto"><span class="autocomment">Commentary</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 16:04, 18 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l221">Line 221:</td>
<td colspan="2" class="diff-lineno">Line 221:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Article 60 GDPR regulates the co-decision making procedure to be followed in cross-border cases ([[Article 56 GDPR|Article 56(1) GDPR]]). It specifies the rules of procedure that follows after the lead supervisory authority (''"LSA"'') has been identified under the competence-establishing provision of [[Article 56 GDPR|Article 56(1) GDPR]]. In such cases, the LSA, i.e. the SA of the place where the controller's or processor's main or sole establishment is located in the EEA, assumes the role of directing and coordinating the decision-making procedure. In doing so, the LSA has to cooperate with the other CSA in accordance with the principles and rules provided by Article 60 GDPR and more generally throughout Chapter VII. The cooperation procedure, in the event of a complaint-based investigation, ends with the decision of a SA which either (i) finds a violation of the GDPR by the controller or processor and orders the infringment to be remedied and thereby at the same time grants or partialy grants the complaint or (ii) rejects or dismisses the complaint or parts thereof.<ref>''Peuker,'' in Sydow, Marsch, DS-GVO/BDSG, Article 60 GDPR, margin number 2 (Nomos 2022).</ref> In addition to relevant provisions of the GDPR, national procedural rules apply for any matter that is not regulated by the GDPR.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Article 60 GDPR regulates the co-decision making procedure to be followed in cross-border cases ([[Article 56 GDPR|Article 56(1) GDPR]]). It specifies the rules of procedure that follows after the lead supervisory authority (''"LSA"'') has been identified under the competence-establishing provision of [[Article 56 GDPR|Article 56(1) GDPR]]. In such cases, the LSA, i.e. the SA of the place where the controller's or processor's main or sole establishment is located in the EEA, assumes the role of directing and coordinating the decision-making procedure. In doing so, the LSA has to cooperate with the other CSA in accordance with the principles and rules provided by Article 60 GDPR and more generally throughout Chapter VII. The cooperation procedure, in the event of a complaint-based investigation, ends with the decision of a SA which either (i) finds a violation of the GDPR by the controller or processor and orders the infringment to be remedied and thereby at the same time grants or partialy grants the complaint or (ii) rejects or dismisses the complaint or parts thereof.<ref>''Peuker,'' in Sydow, Marsch, DS-GVO/BDSG, Article 60 GDPR, margin number 2 (Nomos 2022).</ref> In addition to relevant provisions of the GDPR, national procedural rules apply for any matter that is not regulated by the GDPR.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Case law: C-645/19, paras 51-53 </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Case law: <ins style="font-weight: bold; text-decoration: none;">[[CJEU - C-645/19 - Facebook Ireland and others v Gegevensbeschermingsautoriteit|</ins>C-645/19<ins style="font-weight: bold; text-decoration: none;">]]</ins>, paras 51-53 </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>A draft procedural regulation has been proposed by the Commission to further specify the rules on cooperation between SAs in the one-stop-shop mechanism with the aim to address the shortcomings of the current regulation. <blockquote><u>EDPB Guidelines</u>: on this Article, please see [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-022022-application-article-60-gdpr_en Guidelines 02/2022 on the application of Article 60 GDPR] </blockquote></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>A draft procedural regulation has been proposed by the Commission to further specify the rules on cooperation between SAs in the one-stop-shop mechanism with the aim to address the shortcomings of the current regulation. <blockquote><u>EDPB Guidelines</u>: on this Article, please see [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-022022-application-article-60-gdpr_en Guidelines 02/2022 on the application of Article 60 GDPR] </blockquote></div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-39171:rev-40411 -->
</table>Sflhttps://gdprhub.eu/index.php?title=Article_55_GDPR&diff=40409&oldid=39694Article 55 GDPR2024-03-18T16:01:09Z<p><span dir="auto"><span class="autocomment">(1) Territorial competence of supervisory authorities (SAs)</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 16:01, 18 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l208">Line 208:</td>
<td colspan="2" class="diff-lineno">Line 208:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Example: If the Austrian SA would issue a decision by which it would ban further processing of data and impose a 150.000 EUR fine against a controller from France that has no establishment in Austria the Austrian authority would not have the power or any means to force the controller to comply with the decision and pay the fine since it is not on the territory of Austria.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Example: If the Austrian SA would issue a decision by which it would ban further processing of data and impose a 150.000 EUR fine against a controller from France that has no establishment in Austria the Austrian authority would not have the power or any means to force the controller to comply with the decision and pay the fine since it is not on the territory of Austria.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>This was confirmed by CJEU in C-230/14 - Weltimmo. The judgement, among others, confirmed the territorial nature of competences, performance of tasks and exercising of powers of SAs. It concerned the interpretation of Article 28 GDPR of Directive 95/46, the GDPR predecessor. It stays relevant with regard to concepts explained and guiding principles regarding SAs' competences, including their duty to cooperate with other SAs, where necessary to enforce the law in order to provide effective protection to individuals.<ref>''See Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 905 (Oxford University Press 2020); ''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 55, margin number 11 (C.H. Beck 2024, 4<sup>th</sup> edition) and ''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin number 6 (Nomos 2019).</ref></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>This was confirmed by CJEU in <ins style="font-weight: bold; text-decoration: none;">[[CJEU - C-230/14 - Weltimmo|</ins>C-230/14 - Weltimmo<ins style="font-weight: bold; text-decoration: none;">]]</ins>. The judgement, among others, confirmed the territorial nature of competences, performance of tasks and exercising of powers of SAs. It concerned the interpretation of Article 28 GDPR of Directive 95/46, the GDPR predecessor. It stays relevant with regard to concepts explained and guiding principles regarding SAs' competences, including their duty to cooperate with other SAs, where necessary to enforce the law in order to provide effective protection to individuals.<ref>''See Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 905 (Oxford University Press 2020); ''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 55, margin number 11 (C.H. Beck 2024, 4<sup>th</sup> edition) and ''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 58 GDPR, margin number 6 (Nomos 2019).</ref></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The limitation of jurisdiction to the territory of the state ''“confirms the role of SA as enforcement authorities, having competence on national territory equal to other public bodies and judicial authorities.”''<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, p. 904 (Oxford University Press 2020).</ref></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The limitation of jurisdiction to the territory of the state ''“confirms the role of SA as enforcement authorities, having competence on national territory equal to other public bodies and judicial authorities.”''<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, p. 904 (Oxford University Press 2020).</ref></div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l222">Line 222:</td>
<td colspan="2" class="diff-lineno">Line 222:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Case law: In Weltimmo CJEU considered that operating a website by a company of one state in the language of another state and having, among others, a representative in that state, who was actively involved in certain operations of the company in that state, presents real and effective activity through stable arrangements vesting the competence to hear claims of individuals with the SA of that state. The representative has sought to negotiate the settlement of the unpaid debts with the advertisers, served as a point of contact between that company and the data subjects who lodged complaints and represented the company in the administrative and judicial proceedings. He had a Hungarian address and was also recorded in the Slovak companies registry with that address. <ref>CJEU judgement in case ''C-230/14 - Weltimmo,'' paragraphs 31-38.</ref> </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Case law: In Weltimmo CJEU considered that operating a website by a company of one state in the language of another state and having, among others, a representative in that state, who was actively involved in certain operations of the company in that state, presents real and effective activity through stable arrangements vesting the competence to hear claims of individuals with the SA of that state. The representative has sought to negotiate the settlement of the unpaid debts with the advertisers, served as a point of contact between that company and the data subjects who lodged complaints and represented the company in the administrative and judicial proceedings. He had a Hungarian address and was also recorded in the Slovak companies registry with that address. <ref>CJEU judgement in case ''C-230/14 - Weltimmo,'' paragraphs 31-38.</ref> </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>On the other hand, as confirmed in ''C-191/15 - Verein für <del style="font-weight: bold; text-decoration: none;">Konsumenteninformationen</del>'', the mere accessibility of a website in a Member State does not suffice to constitute establishment and vest competence with the SA of that state.<ref name=":0">''C-191/15 - Verein für Konsumenteninformationen'', paragraph 76.</ref></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>On the other hand, as confirmed in ''C-191/15 - Verein für <ins style="font-weight: bold; text-decoration: none;">Konsumenteninformation</ins>'', the mere accessibility of a website in a Member State does not suffice to constitute establishment and vest competence with the SA of that state.<ref name=":0">''C-191/15 - Verein für Konsumenteninformationen'', paragraph 76.</ref></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The concepts of "in the context of its activities" and "establishment" are further discussed in [[Article 4 GDPR]] of this commentary.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The concepts of "in the context of its activities" and "establishment" are further discussed in [[Article 4 GDPR]] of this commentary.</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l249">Line 249:</td>
<td colspan="2" class="diff-lineno">Line 249:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The jurisdiction of a SA and its coercive power is limited to the territory of its own state due to the principle of sovereignty. This means that a SA of one Member State cannot use its powers outside the borders of it's state, on the territory of another state.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020).</ref> The provision should not be understood as an obligation that each SA must be competent for the whole territory where several SAs co-exist in one Member State. It is a question of national law to determine the jurisdiction of SAs when a state takes advantage of the option provided under [[Article 51 GDPR|Article 51(3) GDPR]] to establish several SAs.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 55 GDPR, margin number 16 (C.H. Beck 2020, 3rd Edition).</ref></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The jurisdiction of a SA and its coercive power is limited to the territory of its own state due to the principle of sovereignty. This means that a SA of one Member State cannot use its powers outside the borders of it's state, on the territory of another state.<ref>''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020).</ref> The provision should not be understood as an obligation that each SA must be competent for the whole territory where several SAs co-exist in one Member State. It is a question of national law to determine the jurisdiction of SAs when a state takes advantage of the option provided under [[Article 51 GDPR|Article 51(3) GDPR]] to establish several SAs.<ref>''Boehm'', in Kühling, Buchner, DS-GVO BDSG, Article 55 GDPR, margin number 16 (C.H. Beck 2020, 3rd Edition).</ref></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>CJEU ruled on the territorial limitation of performance of tasks and exercising of powers in ''Weltimmo judgement (''C-230/14).<blockquote>Case law: In case C-230/14, ''Weltimmo'', CJEU stated that a SA cannot impose penalties outside the territory of its own Member State but it can examine a complaint and exercise investigative powers against a company established in another Member State which was directing its activities to residents of its state. For finding an infringement and imposing penalties the SA must request cooperation of SA of the establishment in accordance with the rules on cooperation. At the same time CJEU pointed out that “''the law should make it possible for individuals to enforce their right to protection''” <ref>CJEU [[CJEU - C-230/14 - Weltimmo|''C-230/14 - Weltimmo'']], paragraphs 53 to 57.</ref></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>CJEU ruled on the territorial limitation of performance of tasks and exercising of powers in ''Weltimmo judgement (''C-230/14).<blockquote>Case law: In <ins style="font-weight: bold; text-decoration: none;">[[CJEU - C-230/14 - Weltimmo|</ins>case C-230/14, ''Weltimmo''<ins style="font-weight: bold; text-decoration: none;">]]</ins>, CJEU stated that a SA cannot impose penalties outside the territory of its own Member State but it can examine a complaint and exercise investigative powers against a company established in another Member State which was directing its activities to residents of its state. For finding an infringement and imposing penalties the SA must request cooperation of SA of the establishment in accordance with the rules on cooperation. At the same time CJEU pointed out that “''the law should make it possible for individuals to enforce their right to protection''” <ref>CJEU [[CJEU - C-230/14 - Weltimmo|''C-230/14 - Weltimmo'']], paragraphs 53 to 57.</ref></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Where a SA is competent when processing carried out by a controller or processor not established in the EU/EEA is targeting data subjects residing on its territory. The targeting can be done in relation to offering goods or services or through monitoring their behaviour. This refers to situations when GDPR is applicable according to [[Article 3 GDPR|Article 3(2) GDPR]]. In these situations, several SAs can be competent to act in parallel, each with regard to the processing of data of their residents.</blockquote>In this situations the main question is how to enforce a decision when a violation of the GDPR is established. In particularly, how corrective measures and fines can be enforced, since the controller or processor are located outside the territory and thus outside the reach of any Member State, especially in situations when a controller has not designated a representative on the territory of the European Union (in breach of [[Article 27 GDPR|Article 27(1) GDPR]]). In such situations s SA may ask the competent authorities of the country of the processor for cooperation under an international agreement between the countries.<ref>See ''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 55 GDPR, margin numbers 16 and 17 (Nomos 2019). See also ''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020).</ref> It may also order that the data has to remain within the Union and cannot be transferred to a third country.<ref>See ''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020). Regarding the option that the data must remain within the territory of the Union to secure the protection of individuals and their rights under the GDPR see also CJEU ''C-293/12 - Digital Rights Ireland,'' paragraph 68, [https://curia.europa.eu/juris/liste.jsf?num=C-293/12&language=de available here].</ref></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Where a SA is competent when processing carried out by a controller or processor not established in the EU/EEA is targeting data subjects residing on its territory. The targeting can be done in relation to offering goods or services or through monitoring their behaviour. This refers to situations when GDPR is applicable according to [[Article 3 GDPR|Article 3(2) GDPR]]. In these situations, several SAs can be competent to act in parallel, each with regard to the processing of data of their residents.</blockquote>In this situations the main question is how to enforce a decision when a violation of the GDPR is established. In particularly, how corrective measures and fines can be enforced, since the controller or processor are located outside the territory and thus outside the reach of any Member State, especially in situations when a controller has not designated a representative on the territory of the European Union (in breach of [[Article 27 GDPR|Article 27(1) GDPR]]). In such situations s SA may ask the competent authorities of the country of the processor for cooperation under an international agreement between the countries.<ref>See ''Polenz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 55 GDPR, margin numbers 16 and 17 (Nomos 2019). See also ''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020).</ref> It may also order that the data has to remain within the Union and cannot be transferred to a third country.<ref>See ''Hijmans'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 55 GDPR, page 907 (Oxford University Press 2020). Regarding the option that the data must remain within the territory of the Union to secure the protection of individuals and their rights under the GDPR see also CJEU ''C-293/12 - Digital Rights Ireland,'' paragraph 68, [https://curia.europa.eu/juris/liste.jsf?num=C-293/12&language=de available here].</ref></div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-39694:rev-40409 -->
</table>Sflhttps://gdprhub.eu/index.php?title=Article_17_GDPR&diff=40408&oldid=40281Article 17 GDPR2024-03-18T15:47:51Z<p><span dir="auto"><span class="autocomment">(d) Unlawful processing</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 15:47, 18 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l266">Line 266:</td>
<td colspan="2" class="diff-lineno">Line 266:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=====(d) Unlawful processing=====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=====(d) Unlawful processing=====</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Under Article 17(1)(d) GDPR, data must be erased in case they "''have been unlawfully processed''". Processing can be unlawful for a number of reasons. Most commonly, processing is unlawful when it lacks any legal basis as prescribed in Article 6 GDPR or Article 9 GDPR. However, unlawfulness under GDPR is not only limited to situations where the legal basis for processing is missing under Article 6 or 9, but also includes cases where the processing activity violates GDPR for "''other reasons''" (Recital 65). To begin, processing is unlawful if it does not conform to the principles set out in Article 5.<blockquote><u>Case-law</u>: In CJEU - C‑131/12 - Google Spain, the Court held that all processing of personal data must comply, first, with the principles relating to data quality set out in Article 6 of the directive and, secondly, with one of the criteria for making data processing legitimate listed in Article 7 of the directive [...] Under Article 6 of Directive 95/46 [...] the controller has the task of ensuring that personal data are processed ‘fairly and lawfully’, that they are ‘collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes’, that they are ‘adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed’, that they are ‘accurate and, where necessary, kept up to date’ and, finally, that they are ‘kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed’.<ref>CJEU, Case C-131/12, Google Spain, 13 May 2014, margin numbers 71-72, 75, 92 (available [[CJEU - C‑131/12 - Google Spain|here]]).</ref></blockquote>Hence, data processing may also be unlawful where any GDPR provision implementing a principle is breached. For instance, if its technical design and implementation do not conform to the requirements of Article 25 or do not comply with the security standards set out in Article 32. Unlawfulness also arises in situations where processed data is inaccurate (Article 16 GDPR).<ref>''Kamann, Braun'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 17 GDPR, margin number 27 (C.H. Beck 2018, 2nd edition). Same view in ''Haidinger'' in Knyrim, DatKomm Article 17 GDPR, margin numbers 55-56 (as of 1.12.2021, rdb.at).</ref> In other words, ''“this provision can be seen as a sweeping clause, as it grants a right to erasure where processing is unlawful, whether it is for a lacking legal permission for processing or for non-compliance with the Regulation, such as regarding the organisational obligations of the controller”.''<ref>''Voigt, von dem Bussche'', The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 158 (Springer 2017).</ref> </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Under Article 17(1)(d) GDPR, data must be erased in case they "''have been unlawfully processed''". Processing can be unlawful for a number of reasons. Most commonly, processing is unlawful when it lacks any legal basis as prescribed in Article 6 GDPR or Article 9 GDPR. However, unlawfulness under GDPR is not only limited to situations where the legal basis for processing is missing under Article 6 or 9, but also includes cases where the processing activity violates GDPR for "''other reasons''" (Recital 65). To begin, processing is unlawful if it does not conform to the principles set out in Article 5.<blockquote><u>Case-law</u>: In <ins style="font-weight: bold; text-decoration: none;">[[</ins>CJEU - C‑131/12 - Google Spain<ins style="font-weight: bold; text-decoration: none;">]]</ins>, the Court held that all processing of personal data must comply, first, with the principles relating to data quality set out in Article 6 of the directive and, secondly, with one of the criteria for making data processing legitimate listed in Article 7 of the directive [...] Under Article 6 of Directive 95/46 [...] the controller has the task of ensuring that personal data are processed ‘fairly and lawfully’, that they are ‘collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes’, that they are ‘adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed’, that they are ‘accurate and, where necessary, kept up to date’ and, finally, that they are ‘kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed’.<ref>CJEU, Case C-131/12, Google Spain, 13 May 2014, margin numbers 71-72, 75, 92 (available [[CJEU - C‑131/12 - Google Spain|here]]).</ref></blockquote>Hence, data processing may also be unlawful where any GDPR provision implementing a principle is breached. For instance, if its technical design and implementation do not conform to the requirements of Article 25 or do not comply with the security standards set out in Article 32. Unlawfulness also arises in situations where processed data is inaccurate (Article 16 GDPR).<ref>''Kamann, Braun'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 17 GDPR, margin number 27 (C.H. Beck 2018, 2nd edition). Same view in ''Haidinger'' in Knyrim, DatKomm Article 17 GDPR, margin numbers 55-56 (as of 1.12.2021, rdb.at).</ref> In other words, ''“this provision can be seen as a sweeping clause, as it grants a right to erasure where processing is unlawful, whether it is for a lacking legal permission for processing or for non-compliance with the Regulation, such as regarding the organisational obligations of the controller”.''<ref>''Voigt, von dem Bussche'', The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 158 (Springer 2017).</ref> </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=====(e) Compliance with a legal obligation=====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=====(e) Compliance with a legal obligation=====</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject. This provision contains an opening clause by which legal obligations are left to the discretion of Member States. Hence, additional cases which would justify the erasure of data can be introduced at a national level. The opening clause does not impose any special requirements on the respective Member State regulation. However, it is necessary that the respective Member State regulation does not undermine the requirements of the GDPR and, above all, does not violate any rights under the Charter or fundamental freedoms.<ref>''Nolte, Werkmeister'' in Gola, DS-GVO, Article 17 GDPR, margin number 27 (C.H. Beck2018, 2nd edition).</ref> </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject. This provision contains an opening clause by which legal obligations are left to the discretion of Member States. Hence, additional cases which would justify the erasure of data can be introduced at a national level. The opening clause does not impose any special requirements on the respective Member State regulation. However, it is necessary that the respective Member State regulation does not undermine the requirements of the GDPR and, above all, does not violate any rights under the Charter or fundamental freedoms.<ref>''Nolte, Werkmeister'' in Gola, DS-GVO, Article 17 GDPR, margin number 27 (C.H. Beck2018, 2nd edition).</ref> </div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40281:rev-40408 -->
</table>Sflhttps://gdprhub.eu/index.php?title=Article_15_GDPR&diff=40407&oldid=40273Article 15 GDPR2024-03-18T15:46:45Z<p><span dir="auto"><span class="autocomment">Relationship with other rights to access information</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 15:46, 18 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l228">Line 228:</td>
<td colspan="2" class="diff-lineno">Line 228:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The possibility to receive consistent, reliable, complete and updated information regarding processing activities allows individuals to obtain and increase their awareness of any relevant processing operation, exercise practical control over their data, and scrutinise the accuracy and lawfulness of data processing operations. The right to access is a prerequisite to exercising data subjects rights (rectification, erasure, restriction, etc.)<ref>''Ehmann'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 15 GDPR, margin number 6 (C.H. Beck 2018, 2nd Edition).</ref> and is therefore a is a key principle of the entire data protection framework.<ref>CJEU, Case C-553/07'', College van burgemeester en wethouders v. Meerijkeboer'', 7 May 2009, margin numbers 51–52 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=74028&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=3862798 here]). See also, CJEU, Joined Cases C-141/12 and C-372/12, ''YS and Others'', 17 July 2014, margin number 57 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=155114&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=3862798 here]).</ref> </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The possibility to receive consistent, reliable, complete and updated information regarding processing activities allows individuals to obtain and increase their awareness of any relevant processing operation, exercise practical control over their data, and scrutinise the accuracy and lawfulness of data processing operations. The right to access is a prerequisite to exercising data subjects rights (rectification, erasure, restriction, etc.)<ref>''Ehmann'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 15 GDPR, margin number 6 (C.H. Beck 2018, 2nd Edition).</ref> and is therefore a is a key principle of the entire data protection framework.<ref>CJEU, Case C-553/07'', College van burgemeester en wethouders v. Meerijkeboer'', 7 May 2009, margin numbers 51–52 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=74028&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=3862798 here]). See also, CJEU, Joined Cases C-141/12 and C-372/12, ''YS and Others'', 17 July 2014, margin number 57 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=155114&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=3862798 here]).</ref> </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The right to access is however also a "stand-alone" fundamental right, protected under Article 8(2) CFR. A data subject may just want to get information about the data processed about him or her - independent of the exercise of any other right under the GDPR. A data subject therefore does not need to give reasons for exercising the right to access. Even if they did, the controller does not have the jurisdiction to assess underpinning motives.<ref>As the EDPB puts it, "''Given the broad aim of the right of access, the aim of the right of access is not suitable to be analysed as a precondition for the exercise of the right of access by the controller as part of its assessment of access requests. Thus, controllers should not assess “why” the data subject is requesting access, but only “what” the data subject is requesting (see section 3 on the analysis of the request) and whether they hold personal data relating to that individual (see section 4). Therefore, for example, the controller should not deny access on the grounds or the suspicion that the requested data could be used by the data subject to defend themselves in court in the event of a dismissal or a commercial dispute with the controller''". See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 10 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here]).</ref> While some national courts have tried to use the lack of a proven GDPR-related motive as a reason to reject access request under Article 15 GDPR, the CJEU has held that the motive is irrelevant. <blockquote><u>Case law:</u> In ''[[C‑307/22 FT and DW]]'' a data subject used Article 15 GDPR to get (free) access to its own health records. The controller alleged that the access request was not made for the purpose of exercising (other) GDPR right, but to get a copy of health records, which is usually subject to a charge. The CJEU held that the right to get a free copy of ones personal data is independent of the intent purpose for which the personal data is used and the controller must grant access.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The right to access is however also a "stand-alone" fundamental right, protected under Article 8(2) CFR. A data subject may just want to get information about the data processed about him or her - independent of the exercise of any other right under the GDPR. A data subject therefore does not need to give reasons for exercising the right to access. Even if they did, the controller does not have the jurisdiction to assess underpinning motives.<ref>As the EDPB puts it, "''Given the broad aim of the right of access, the aim of the right of access is not suitable to be analysed as a precondition for the exercise of the right of access by the controller as part of its assessment of access requests. Thus, controllers should not assess “why” the data subject is requesting access, but only “what” the data subject is requesting (see section 3 on the analysis of the request) and whether they hold personal data relating to that individual (see section 4). Therefore, for example, the controller should not deny access on the grounds or the suspicion that the requested data could be used by the data subject to defend themselves in court in the event of a dismissal or a commercial dispute with the controller''". See, EDPB, ‘Guidelines 01/2022 on data subject rights - Right of access’, 28 March 2023 (Version 2.0), p. 10 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en here]).</ref> While some national courts have tried to use the lack of a proven GDPR-related motive as a reason to reject access request under Article 15 GDPR, the CJEU has held that the motive is irrelevant. <blockquote><u>Case law:</u> In ''[[<ins style="font-weight: bold; text-decoration: none;">CJEU - C‑307/22 - Copies of Medical Records|</ins>C‑307/22 FT and DW]]'' a data subject used Article 15 GDPR to get (free) access to its own health records. The controller alleged that the access request was not made for the purpose of exercising (other) GDPR right, but to get a copy of health records, which is usually subject to a charge. The CJEU held that the right to get a free copy of ones personal data is independent of the intent purpose for which the personal data is used and the controller must grant access.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><u>Example:</u> A film maker made access request to CCTV footage showing her walk around London. She had other actors be in front of the CCTV cameras and used the footage to make an entire movie from CCTV footage collected via the right to access. Tilda Swinton narrated the otherwise silent CCTV footage published in 2007.<ref>See https://en.wikipedia.org/wiki/Faceless_(2007_film)</ref> Her use of the right to access to get a copy of CCTV footage may have been tedious, but the use of personal data for a move (criticising surveillance) was maybe exceptional but legal.</blockquote></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><u>Example:</u> A film maker made access request to CCTV footage showing her walk around London. She had other actors be in front of the CCTV cameras and used the footage to make an entire movie from CCTV footage collected via the right to access. Tilda Swinton narrated the otherwise silent CCTV footage published in 2007.<ref>See https://en.wikipedia.org/wiki/Faceless_(2007_film)</ref> Her use of the right to access to get a copy of CCTV footage may have been tedious, but the use of personal data for a move (criticising surveillance) was maybe exceptional but legal.</blockquote></div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l236">Line 236:</td>
<td colspan="2" class="diff-lineno">Line 236:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Other EU or national legislation may provide for additional rights to access information. Such rights may come in many forms, such as procedural law (allowing access to documents in a procedure), freedom of information laws (allowing access to government files) or specific sectoral laws, such as laws concerning access to health data or archives. Unless other EU or national law is explicitly a ''lex specialis'' in relation to the GDPR - usually in the form of a Restriction under [[Article 23 GDPR]] - these other rights exist in parallel to the GDPR. This means a data subject may freely choose to rely on Article 15 GDPR or any other legal basis available to him or her. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Other EU or national legislation may provide for additional rights to access information. Such rights may come in many forms, such as procedural law (allowing access to documents in a procedure), freedom of information laws (allowing access to government files) or specific sectoral laws, such as laws concerning access to health data or archives. Unless other EU or national law is explicitly a ''lex specialis'' in relation to the GDPR - usually in the form of a Restriction under [[Article 23 GDPR]] - these other rights exist in parallel to the GDPR. This means a data subject may freely choose to rely on Article 15 GDPR or any other legal basis available to him or her. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><u>Case law:</u> In ''[[C‑307/22 FT and DW]]'' the CJEU has also rejected arguments that Article 15 GDPR may not be applied if there is existing national law that foresees a right to get a copy against a fee. EU law trumps national law in such cases. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><u>Case law:</u> In ''[[<ins style="font-weight: bold; text-decoration: none;">CJEU - C‑307/22 - Copies of Medical Records|</ins>C‑307/22 FT and DW]]'' the CJEU has also rejected arguments that Article 15 GDPR may not be applied if there is existing national law that foresees a right to get a copy against a fee. EU law trumps national law in such cases. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Consequently, a data subject can also make an access request under Article 15 GDPR for any other purpose - such as to generate evidence for a legal procedure. Even if many EU Member States' procedures do not know the concept of "discovery" (as common in the US), data subjects may use the right to access for any purpose they wish. In fact, the controller may equally rely on personal data as evidence under [[Article 6 GDPR|Article 6(1)(f) GDPR]]. The use of Article 15 GDPR to obtain evidence would still be used to overcome "informational imbalance" in such cases. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Consequently, a data subject can also make an access request under Article 15 GDPR for any other purpose - such as to generate evidence for a legal procedure. Even if many EU Member States' procedures do not know the concept of "discovery" (as common in the US), data subjects may use the right to access for any purpose they wish. In fact, the controller may equally rely on personal data as evidence under [[Article 6 GDPR|Article 6(1)(f) GDPR]]. The use of Article 15 GDPR to obtain evidence would still be used to overcome "informational imbalance" in such cases. </div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40273:rev-40407 -->
</table>Sflhttps://gdprhub.eu/index.php?title=Article_10_GDPR&diff=40406&oldid=35720Article 10 GDPR2024-03-18T15:41:37Z<p><span dir="auto"><span class="autocomment">Commentary</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 15:41, 18 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l195">Line 195:</td>
<td colspan="2" class="diff-lineno">Line 195:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Article 10 GDPR is a complementary provision to the Law Enforcement Directive (LED)<ref>[https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016L0680 Directive (EU) 2016/680] of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data and repealing Council Framework Decision 2008/977/JHA.</ref>. It aims to ensure that criminal data processing is still carried out in accordance with the GDPR’s principles and with appropriate safeguards when the LED is not directly applicable. [[Article 2 GDPR|Article 2(2)(d) GDPR]] excludes any processing that falls under the scope of the LED from the scope of the GDPR. Article 10 GDPR is intended to extend the protection of the GDPR to the processing of certain criminal data that is not included in the scope of the LED. Specifically, this includes data that has the potential to lead to stigmatisation, which may lead to profound effects on different aspects of a data subjects' life due to its sensitive nature. For example, when data is inappropriately processed in the employment context.<ref>''Georgieva'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 10 GDPR, p. 388 (Oxford University Press, Oxford, 2020).</ref></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Article 10 GDPR is a complementary provision to the Law Enforcement Directive (LED)<ref>[https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016L0680 Directive (EU) 2016/680] of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data and repealing Council Framework Decision 2008/977/JHA.</ref>. It aims to ensure that criminal data processing is still carried out in accordance with the GDPR’s principles and with appropriate safeguards when the LED is not directly applicable. [[Article 2 GDPR|Article 2(2)(d) GDPR]] excludes any processing that falls under the scope of the LED from the scope of the GDPR. Article 10 GDPR is intended to extend the protection of the GDPR to the processing of certain criminal data that is not included in the scope of the LED. Specifically, this includes data that has the potential to lead to stigmatisation, which may lead to profound effects on different aspects of a data subjects' life due to its sensitive nature. For example, when data is inappropriately processed in the employment context.<ref>''Georgieva'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 10 GDPR, p. 388 (Oxford University Press, Oxford, 2020).</ref></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>This position was affirmed by the Court of Justice in Case C‑439/19, ''Latvijas Republikas Saeima''. In this judgment, the Court noted that data processed under Article 10 GDPR warrants a higher standards of protection for processing and grant of access, as the data which falls under its scope has the potential to expose the data subject to stigmatisation and social disapproval. At paragraphs 74 and 75, the Court observed that the risk of stigmatisation in itself amounts to severe interference in the data subject's private and professional life for the purposes of Articles 7 and 8 of the Charter, consequently justifying stricter thresholds for processing.<ref name=":0">Case C‑439/19, ''Latvijas Republikas Saeima'', paras 74-75. </ref></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>This position was affirmed by the Court of Justice in <ins style="font-weight: bold; text-decoration: none;">[[CJEU - C-439/19 - B v. Latvijas Republikas Saeima|</ins>Case C‑439/19, ''Latvijas Republikas Saeima''<ins style="font-weight: bold; text-decoration: none;">]]</ins>. In this judgment, the Court noted that data processed under Article 10 GDPR warrants a higher standards of protection for processing and grant of access, as the data which falls under its scope has the potential to expose the data subject to stigmatisation and social disapproval. At paragraphs 74 and 75, the Court observed that the risk of stigmatisation in itself amounts to severe interference in the data subject's private and professional life for the purposes of Articles 7 and 8 of the Charter, consequently justifying stricter thresholds for processing.<ref name=":0">Case C‑439/19, ''Latvijas Republikas Saeima'', paras 74-75. </ref></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>As a result, ''"''[u]''nder the principle of proportionality, limitations'' [to the the fundamental rights to respect for private life and to the protection of personal data] ''may be made only if they are necessary and genuinely meet objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others. They must apply only in so far as is strictly necessary and the legislation which entails the interference must lay down clear and precise rules governing the scope and application of the measure in question.''"<ref>Case C‑439/19, ''Latvijas Republikas Saeima'', para 105.</ref></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>As a result, ''"''[u]''nder the principle of proportionality, limitations'' [to the the fundamental rights to respect for private life and to the protection of personal data] ''may be made only if they are necessary and genuinely meet objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others. They must apply only in so far as is strictly necessary and the legislation which entails the interference must lay down clear and precise rules governing the scope and application of the measure in question.''"<ref>Case C‑439/19, ''Latvijas Republikas Saeima'', para 105.</ref></div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-35720:rev-40406 -->
</table>Sflhttps://gdprhub.eu/index.php?title=Article_6_GDPR&diff=40405&oldid=40381Article 6 GDPR2024-03-18T15:39:13Z<p><span dir="auto"><span class="autocomment">Necessity</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 15:39, 18 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l258">Line 258:</td>
<td colspan="2" class="diff-lineno">Line 258:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The concept of "necessity" is used five of the six legal basis (Article 6(1)(b) to (f) GDPR). Only consent does not contain the requirement, as consent must be "specific" anyways. The concept of "necessity" must be interpreted in the light of applicable European law and is also known under Article 52(1) of the Charter of Fundamental Rights. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The concept of "necessity" is used five of the six legal basis (Article 6(1)(b) to (f) GDPR). Only consent does not contain the requirement, as consent must be "specific" anyways. The concept of "necessity" must be interpreted in the light of applicable European law and is also known under Article 52(1) of the Charter of Fundamental Rights. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The CJEU generally follows a concept of strict necessity and a narrow interpretation.<blockquote><u>Case Law:</u> In [[CJEU - C-524/06 - Huber|C‑524/06 - ''Huber'']] on a German central register to manage matters in relation to foreign nationals the CJEU held that the “''concept'' [of necessity] ''...has its own independent meaning in Community law and ... must be interpreted in a manner which fully reflects the objective of'' [Directive 95/46/EC]”.<ref>CJEU, Case C‑524/06, ''Huber'', 18 December 2008, margin number 52 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=76077&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=3377266 here]).</ref> The CJEU held that such a register must not contain any information other than what is necessary for the purpose of implementing specific laws on foreign nationals.</blockquote>From a systematic point of view any legal basis under Article 6(1) GDPR constitutes an exemption to the general prohibition of data processing. As such, the exemption itself and all the wording it carries, including the "necessity" requirement, must be interpreted narrowly.<blockquote><u>Case Law:</u> In [[CJEU - C‑13/16 - Rīgas satiksme|C‑13/16 - ''Rīgas satiksme'']] on the use of personal data after a traffic accident the CJEU held: “''As regards the condition relating to the necessity of processing personal data, it should be borne in mind that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary''”.<ref>CJEU, Case C‑13/16, ''Rīgas satiksme'', 4 May 2017, margin number 30 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=190322&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=3378015 here]).</ref> In joined Cases C‑92/09 and C‑93/09 ''- Volker und Markus Schecke and Eifert'' on a European law requiring the publication of recipients of agricultural subsidies the CJEU held that: "''limitations in relation to the protection of personal data must apply only in so far as is strictly necessary''".<ref>CJEU, Joined Cases C‑92/09 and C‑93/09, ''Volker und Markus Schecke GbR and Hartmut Eifert v Land Hessen'', paragraph 86, 9. November 2010 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=79163&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=3378952 here]).</ref></blockquote>Despite the narrow interpretation of strict necessity, a controller is not prohibited from using personal data, just because there is a theoretical alternative that does not include the use of personal data, only realistic alternative must be considered. Processing that is "useful" but not objectively "necessary" is not covered and hence not allowed. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The CJEU generally follows a concept of strict necessity and a narrow interpretation.<blockquote><u>Case Law:</u> In [[CJEU - C-524/06 - Huber|C‑524/06 - ''Huber'']] on a German central register to manage matters in relation to foreign nationals the CJEU held that the “''concept'' [of necessity] ''...has its own independent meaning in Community law and ... must be interpreted in a manner which fully reflects the objective of'' [Directive 95/46/EC]”.<ref>CJEU, Case C‑524/06, ''Huber'', 18 December 2008, margin number 52 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=76077&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=3377266 here]).</ref> The CJEU held that such a register must not contain any information other than what is necessary for the purpose of implementing specific laws on foreign nationals.</blockquote>From a systematic point of view any legal basis under Article 6(1) GDPR constitutes an exemption to the general prohibition of data processing. As such, the exemption itself and all the wording it carries, including the "necessity" requirement, must be interpreted narrowly.<blockquote><u>Case Law:</u> In [[CJEU - C‑13/16 - Rīgas satiksme|C‑13/16 - ''Rīgas satiksme'']] on the use of personal data after a traffic accident the CJEU held: “''As regards the condition relating to the necessity of processing personal data, it should be borne in mind that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary''”.<ref>CJEU, Case C‑13/16, ''Rīgas satiksme'', 4 May 2017, margin number 30 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=190322&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=3378015 here]).</ref> In <ins style="font-weight: bold; text-decoration: none;">[[CJEU - Joined Cases C-92/09 and C-93/09 - Volker and Markus|</ins>joined Cases C‑92/09 and C‑93/09 ''- Volker und Markus Schecke and Eifert''<ins style="font-weight: bold; text-decoration: none;">]] </ins>on a European law requiring the publication of recipients of agricultural subsidies the CJEU held that: "''limitations in relation to the protection of personal data must apply only in so far as is strictly necessary''".<ref>CJEU, Joined Cases C‑92/09 and C‑93/09, ''Volker und Markus Schecke GbR and Hartmut Eifert v Land Hessen'', paragraph 86, 9. November 2010 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=79163&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=3378952 here]).</ref></blockquote>Despite the narrow interpretation of strict necessity, a controller is not prohibited from using personal data, just because there is a theoretical alternative that does not include the use of personal data, only realistic alternative must be considered. Processing that is "useful" but not objectively "necessary" is not covered and hence not allowed. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>For example [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22019-processing-personal-data-under-article-61b_en EDPB Guidelines 2/2019 on Article 6(1)(b)] have clarified that assessing what is "necessary" involves a factual analysis of the processing operations and their purpose(s) and whether less intrusive alternatives that achieve the same goal exist. If there are realistic, less intrusive processing operations, then the other more intrusive ones must be excluded – i.e. they are not "necessary" under EU law. Thus, Article 6(1)(b) does not “''cover processing which is useful but not objectively necessary for performing the contractual service''”.<ref>EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, 8 October 2019’ (Version 2.0), p. 8 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines-art_6-1-b-adopted_after_public_consultation_en.pdf here]).</ref> </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>For example [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22019-processing-personal-data-under-article-61b_en EDPB Guidelines 2/2019 on Article 6(1)(b)] have clarified that assessing what is "necessary" involves a factual analysis of the processing operations and their purpose(s) and whether less intrusive alternatives that achieve the same goal exist. If there are realistic, less intrusive processing operations, then the other more intrusive ones must be excluded – i.e. they are not "necessary" under EU law. Thus, Article 6(1)(b) does not “''cover processing which is useful but not objectively necessary for performing the contractual service''”.<ref>EDPB, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, 8 October 2019’ (Version 2.0), p. 8 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines-art_6-1-b-adopted_after_public_consultation_en.pdf here]).</ref> </div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40381:rev-40405 -->
</table>Sflhttps://gdprhub.eu/index.php?title=Article_6_GDPR&diff=40381&oldid=40365Article 6 GDPR2024-03-17T12:04:21Z<p><span dir="auto"><span class="autocomment">(4) Further processing</span></span></p>
<a href="https://gdprhub.eu/index.php?title=Article_6_GDPR&diff=40381&oldid=40365">Show changes</a>2A01:4F8:231:1DE2:0:0:1001:3https://gdprhub.eu/index.php?title=Article_5_GDPR&diff=40378&oldid=40280Article 5 GDPR2024-03-17T08:14:36Z<p><span dir="auto"><span class="autocomment">Compatible further processing</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 08:14, 17 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l234">Line 234:</td>
<td colspan="2" class="diff-lineno">Line 234:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>In order to be '<nowiki/>''lawful''<nowiki/>', processing should comply with [[Article 6 GDPR|Article 6(1) GDPR]], which requires that any processing operation must be based on at least one of the six legal bases in the exhaustive list provided.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 5 GDPR, margin number 8 (C.H. Beck 2020, 3rd Edition).</ref> The principle of lawful processing is linked to the general prohibition on processing personal data and is also enshrined in Article 8(2) of the EU Charter ('''...data ... must be processed ... on the basis of consent of the person concerned or some other legitimate basis laid down by law.''<nowiki/>'). For further details on the various legal bases for processing personal data please see the commentary on [[Article 6 GDPR|Article 6(1) GDPR]].<blockquote><u>Example:</u> The newly appointed data protection officer asks their colleagues for the legal basis to record certain information in the system. They go through the six legal basis in [[Article 6 GDPR|Article 6(1) GDPR]] and realise that none of the provisions fit. The colleague argues that the controller always recorded this information and all other competitors do that too. The newly appointed data protection officer says: "''I am sorry, but 'everyone else does it' is not a legal basis''".</blockquote></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>In order to be '<nowiki/>''lawful''<nowiki/>', processing should comply with [[Article 6 GDPR|Article 6(1) GDPR]], which requires that any processing operation must be based on at least one of the six legal bases in the exhaustive list provided.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 5 GDPR, margin number 8 (C.H. Beck 2020, 3rd Edition).</ref> The principle of lawful processing is linked to the general prohibition on processing personal data and is also enshrined in Article 8(2) of the EU Charter ('''...data ... must be processed ... on the basis of consent of the person concerned or some other legitimate basis laid down by law.''<nowiki/>'). For further details on the various legal bases for processing personal data please see the commentary on [[Article 6 GDPR|Article 6(1) GDPR]].<blockquote><u>Example:</u> The newly appointed data protection officer asks their colleagues for the legal basis to record certain information in the system. They go through the six legal basis in [[Article 6 GDPR|Article 6(1) GDPR]] and realise that none of the provisions fit. The colleague argues that the controller always recorded this information and all other competitors do that too. The newly appointed data protection officer says: "''I am sorry, but 'everyone else does it' is not a legal basis''".</blockquote></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>There is an ongoing debate about a wider understanding of the term '<nowiki/>''lawful''<nowiki/>'. The principle of lawfulness does not mean that processing which violates any administrative provision of the GDPR or any other law (environmental laws, tax law, employment laws), makes the processing not '<nowiki/>''lawful''<nowiki/>' within the meaning of the GDPR, as this would for example trigger the fine of €20 million under [[Article 83 GDPR|Article 83(4) GDPR]]. <blockquote><u>Example:</u> A controller is processing the pictures of data subjects. The controller complies with all requirements under the GDPR, but did not seek the agreement from the photographer, who is the copy right holder. The processing of data subjects' pictures is '<nowiki/>''unlawful''<nowiki/>' under applicable copyright law, but not under the GDPR.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>There is an ongoing debate about a wider understanding of the term '<nowiki/>''lawful''<nowiki/>'. The principle of lawfulness does not mean that processing which violates any administrative provision of the GDPR or any other law (environmental laws, tax law, employment laws), makes the processing not '<nowiki/>''lawful''<nowiki/>' within the meaning of the GDPR, as this would for example trigger the fine of €20 million under [[Article 83 GDPR|Article 83(4) GDPR]].<blockquote><u>Example:</u> A controller is processing the pictures of data subjects. The controller complies with all requirements under the GDPR, but did not seek the agreement from the photographer, who is the copy right holder. The processing of data subjects' pictures is '<nowiki/>''unlawful''<nowiki/>' under applicable copyright law, but not under the GDPR.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>However, there are also views that the violation of core principles of the GDPR that are directly protecting the data subject (like processing incorrect personal data)<ref>See e.g. ''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 5, margin number 16 (C.H. Beck 2020, 3rd Edition).</ref> would not constitute '<nowiki/>''lawful''<nowiki/>' processing. It seems that there may be some room to have a broader understanding of the term 'lawful' beyond [[Article 6 GDPR|Article 6(1) GDPR]] alone.</blockquote></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>However, there are also views that the violation of core principles of the GDPR that are directly protecting the data subject (like processing incorrect personal data)<ref>See e.g. ''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 5, margin number 16 (C.H. Beck 2020, 3rd Edition).</ref> would not constitute '<nowiki/>''lawful''<nowiki/>' processing. It seems that there may be some room to have a broader understanding of the term 'lawful' beyond [[Article 6 GDPR|Article 6(1) GDPR]] alone.</blockquote></div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l281">Line 281:</td>
<td colspan="2" class="diff-lineno">Line 281:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes under [[Article 89 GDPR|Article 89(1) GDPR]];</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes under [[Article 89 GDPR|Article 89(1) GDPR]];</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>* further processing allowed or required by Union or Member State law<del style="font-weight: bold; text-decoration: none;">;</del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>* further processing allowed or required by Union or Member State law under [[Article 6 GDPR|Article 6(4) GDPR]];</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">* further processing for a compatible purpose </del>under [[Article 6 GDPR|Article 6(4) GDPR]] <del style="font-weight: bold; text-decoration: none;">and</del>;</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>* further processing based on the data subject's consent <ins style="font-weight: bold; text-decoration: none;">under [[Article 6 GDPR|Article 6(4) GDPR]] and</ins></div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>* further processing based on the data subject's consent.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">* further processing for a compatible purpose under [[Article 6 GDPR|Article 6(4) GDPR]]</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>See the commentary on [[Article 6 GDPR|Article 6(4) GDPR]] for details on the compatibility assessment.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>See the commentary on [[Article 6 GDPR|Article 6(4) GDPR]] for details on the compatibility assessment.</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40280:rev-40378 -->
</table>2A01:4F8:231:1DE2:0:0:1001:3https://gdprhub.eu/index.php?title=Article_6_GDPR&diff=40365&oldid=40284Article 6 GDPR2024-03-15T19:48:33Z<p><span dir="auto"><span class="autocomment">(2) National law under Article 6(1)(c) and (e)</span></span></p>
<a href="https://gdprhub.eu/index.php?title=Article_6_GDPR&diff=40365&oldid=40284">Show changes</a>2A01:4F8:231:1DE2:0:0:1001:3https://gdprhub.eu/index.php?title=Article_1_GDPR&diff=40357&oldid=39920Article 1 GDPR2024-03-14T16:21:48Z<p>Added links</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 16:21, 14 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l218">Line 218:</td>
<td colspan="2" class="diff-lineno">Line 218:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===(2) Protection of fundamental rights and freedoms ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===(2) Protection of fundamental rights and freedoms ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>According to Article 1(2), the Regulation generally protects the fundamental rights and freedoms of the individual as well as 'in particular''<nowiki/>''' the right to the protection of personal data. Thus, the provisions of the GDPR on the protection of personal data seem to have two objectives. On the one hand, the protection of personal data - which may not come as a surprise. On the other hand, the legislator took the view that the protection of personal data also (indirectly) protects other 'fundamental rights and freedoms'.<ref>''Hornung and Spiecker'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 36 (Beck 2019) (accessed 2 September 2021).</ref><blockquote><u>Case Law:</u> In the joined cases <del style="font-weight: bold; text-decoration: none;"> </del>C‑293/12 and C‑594/12 - ''Digital Rights Ireland'' - on so-called 'data retention' where communication metadata was stored for up to two year for criminal investigations, the CJEU held that "''it is not inconceivable that the retention of the data in question might have an effect on... their exercise of the freedom of expression guaranteed by Article 11 of the Charter''".</blockquote></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>According to Article 1(2), the Regulation generally protects the fundamental rights and freedoms of the individual as well as 'in particular''<nowiki/>''' the right to the protection of personal data. Thus, the provisions of the GDPR on the protection of personal data seem to have two objectives. On the one hand, the protection of personal data - which may not come as a surprise. On the other hand, the legislator took the view that the protection of personal data also (indirectly) protects other 'fundamental rights and freedoms'.<ref>''Hornung and Spiecker'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 36 (Beck 2019) (accessed 2 September 2021).</ref><blockquote><u>Case Law:</u> In the joined cases <ins style="font-weight: bold; text-decoration: none;">[[CJEU - C‑293/12 and C‑594/12 - Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others|</ins>C‑293/12 and C‑594/12 - ''Digital Rights Ireland''<ins style="font-weight: bold; text-decoration: none;">]] </ins>- on so-called 'data retention' where communication metadata was stored for up to two year for criminal investigations, the CJEU held that "''it is not inconceivable that the retention of the data in question might have an effect on... their exercise of the freedom of expression guaranteed by Article 11 of the Charter''".</blockquote></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== Protection of the fundamental right to data protection ====</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==== Protection of the fundamental right to data protection ====</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l236">Line 236:</td>
<td colspan="2" class="diff-lineno">Line 236:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>In its case law, the CJEU has also repeatedly stressed<ref>See for example [[CJEU - C‑40/17 - Fashion ID|C-40/17 ''Fashion ID'']], paragraph 50, with further references to [[CJEU - Case C-101/01 - Bodil Lindqvist|C‑101/01 ''Lindqvist'']]'', [[CJEU - C-524/06 - Huber|C‑524/06 Huber]]'' or C‑468/10 and C‑469/10 ''ASNEFF and FECEMD''</ref> that the GDPR (and the previous [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31995L0046 Directive 95/46/EC]) is aiming for a "''high level of protection''".<ref>See Recital 6 and 10</ref> This term was regularly used to convey a more protective interpretation of the GDPR by the CJEU, and is taken from Recitals 6 and 10 of the GDPR. Although conflicting views exist,<ref>''Scorza'', in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 62 GDPR (Wolters Kluwer 2018).</ref> the approach that gives the right to data protection prevalence over other legally relevant interests is preferred by the CJEU,<ref>''Hornung et al,'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 28 (Beck 2019) (accessed 2 September 2021). In the same direction, ''Hijmans'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 56 (Oxford University Press 2020).</ref> in order to uphold the this high level of protection foreseen by the GDPR. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>In its case law, the CJEU has also repeatedly stressed<ref>See for example [[CJEU - C‑40/17 - Fashion ID|C-40/17 ''Fashion ID'']], paragraph 50, with further references to [[CJEU - Case C-101/01 - Bodil Lindqvist|C‑101/01 ''Lindqvist'']]'', [[CJEU - C-524/06 - Huber|C‑524/06 Huber]]'' or C‑468/10 and C‑469/10 ''ASNEFF and FECEMD''</ref> that the GDPR (and the previous [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31995L0046 Directive 95/46/EC]) is aiming for a "''high level of protection''".<ref>See Recital 6 and 10</ref> This term was regularly used to convey a more protective interpretation of the GDPR by the CJEU, and is taken from Recitals 6 and 10 of the GDPR. Although conflicting views exist,<ref>''Scorza'', in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 62 GDPR (Wolters Kluwer 2018).</ref> the approach that gives the right to data protection prevalence over other legally relevant interests is preferred by the CJEU,<ref>''Hornung et al,'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 28 (Beck 2019) (accessed 2 September 2021). In the same direction, ''Hijmans'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 56 (Oxford University Press 2020).</ref> in order to uphold the this high level of protection foreseen by the GDPR. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Existing CJEU case law contains useful examples of the current state of play. In the joined cases C‑293/12 and C‑594/12 - ''Digital Rights Ireland'' the CJEU has, for example, held that the prevention of terrorism does not allow the retention of meta data from phone records.<ref>See CJEU in Joined Cases C‑293/12 and C‑594/12, Digital Rights Ireland</ref></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Existing CJEU case law contains useful examples of the current state of play. In the joined cases <ins style="font-weight: bold; text-decoration: none;">[[CJEU - C‑293/12 and C‑594/12 - Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others|</ins>C‑293/12 and C‑594/12 - ''Digital Rights Ireland''<ins style="font-weight: bold; text-decoration: none;">]] </ins>the CJEU has, for example, held that the prevention of terrorism does not allow the retention of meta data from phone records.<ref>See CJEU in Joined Cases C‑293/12 and C‑594/12, Digital Rights Ireland</ref></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Similarly, in other cases, public interest in financial transparency in the public sector was not seen to override the interest of employees<ref>See CJEU in C-465/00 ''Österreichischer Rundfunk.''</ref> or recipients of subsidies.<ref>See CJEU in Joined Cases C-92/09 and C-93/09 ''Volker und Markus Schecke und Eifert''.</ref> While these judgments were mainly concerning public sector violations of Article 7 and 8 CFR, they seem to also apply to private actors, given that the GDPR must be interpreted in light of the CFR.<blockquote><u>Example:</u> If in the joined cases C‑293/12 and C‑594/12 - ''Digital Rights Ireland'' the CJEU prohibited governments to keep phone records to fight terrorism and serious crime, it seems hard to argue that private entities could claim a legitimate interest under [[Article 6 GDPR|Article 6(1)(f) GDPR]] for communication data for purposes that are even less serious. Such a legitimate interest would have to cross the red lines set in the CJEU case law, given that the GDPR must be interpreted in the light of Article 8 CFR. </blockquote></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Similarly, in other cases, public interest in financial transparency in the public sector was not seen to override the interest of employees<ref>See CJEU in C-465/00 ''Österreichischer Rundfunk.''</ref> or recipients of subsidies.<ref>See CJEU in Joined Cases C-92/09 and C-93/09 ''Volker und Markus Schecke und Eifert''.</ref> While these judgments were mainly concerning public sector violations of Article 7 and 8 CFR, they seem to also apply to private actors, given that the GDPR must be interpreted in light of the CFR.<blockquote><u>Example:</u> If in the joined cases <ins style="font-weight: bold; text-decoration: none;">[[CJEU - C‑293/12 and C‑594/12 - Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others|</ins>C‑293/12 and C‑594/12 - ''Digital Rights Ireland''<ins style="font-weight: bold; text-decoration: none;">]] </ins>the CJEU prohibited governments to keep phone records to fight terrorism and serious crime, it seems hard to argue that private entities could claim a legitimate interest under [[Article 6 GDPR|Article 6(1)(f) GDPR]] for communication data for purposes that are even less serious. Such a legitimate interest would have to cross the red lines set in the CJEU case law, given that the GDPR must be interpreted in the light of Article 8 CFR. </blockquote></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===(3) Free movement of personal data===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===(3) Free movement of personal data===</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Under [[Article 1 GDPR#3|Article 1(3) GDPR]], the free movement of personal data within the Union shall be neither restricted nor prohibited for reasons related to personal data protection. The provision is mainly aimed at Member States, which may have an interest to pass so-called data localization laws. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Under [[Article 1 GDPR#3|Article 1(3) GDPR]], the free movement of personal data within the Union shall be neither restricted nor prohibited for reasons related to personal data protection. The provision is mainly aimed at Member States, which may have an interest to pass so-called data localization laws. </div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-39920:rev-40357 -->
</table>Sfl