Article 4 GDPR: Difference between revisions
(Uploading Article 4(9) GDPR) |
|||
(93 intermediate revisions by 16 users not shown) | |||
Line 186: | Line 186: | ||
==Legal Text== | ==Legal Text== | ||
<br /><center>'''Article 4 - Definitions'''</center | <br /><center>'''Article 4 - Definitions'''</center> | ||
For the purposes of this Regulation: | For the purposes of this Regulation: | ||
Line 256: | Line 256: | ||
==Relevant Recitals== | ==Relevant Recitals== | ||
{{Recital/14 GDPR}} | |||
{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/26 GDPR}}{{Recital/27 GDPR}}{{Recital/29 GDPR}}{{Recital/30 GDPR}} | {{Recital/15 GDPR}} | ||
{{Recital/26 GDPR}} | |||
{{Recital/27 GDPR}} | |||
{{Recital/28 GDPR}} | |||
{{Recital/29 GDPR}} | |||
{{Recital/30 GDPR}} | |||
==Commentary== | ==Commentary== | ||
Article 4 GDPR provides a list of definitions used to further specify relevant | Article 4 GDPR provides a list of definitions used to further specify relevant terms used throughout the GDPR. | ||
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build upon the already existing terms. Other definitions, however, are newly introduced, modified, or complemented with additional elements, and therefore require a new interpretation. | |||
===(1) Personal data=== | |||
The principal concept of the GDPR is that of ''‘''personal data’, as the Regulation only applies to personal data and refers to it throughout the text of the GDPR. | |||
Its definition developed from a previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which "''personal data means any information relating to an identified or identifiable individual''". | |||
The definition can be divided into the following four requirements: (1) ‘any information’; (2) ‘relating to’; (3) ‘an identified or identifiable’; (4) 'individual'. The fulfilment of all of these aspects is required in order to satisfy the notion of personal data. | |||
==== Any information ==== | |||
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible. | With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible. | ||
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]). | In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]). | ||
</ref> This position | </ref> This position is supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [http://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Equally, the European Court of Human Rights stated that <cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite>.<ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95].</ref> | ||
Accordingly, personal data includes any information, no matter if it relates to the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> <blockquote>{{Quote-example|Petra is keeping various information on her smartphone. This includes information that she does not seem to treat as private, as she even shares them online on widely available platforms, with her name attached, but there is also information about her love and sex life in chats, that she clearly feels are very private. In addition she keeps data in relation to her job as an independent contractor on her phone. The GDPR covers all such information - no matter if the information is trivial or extremely sensitive, private or related to her business.}}</blockquote>The information can either be 'objective' such as unchangeable characteristics of a data subject as well as 'subjective' in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref> This means that also mere likeliness, predictions or planning information is covered by the GDPR, as long as it relates to a person.<blockquote>{{Quote-example|Petra is also customer of a bank with a private and a commercial bank account. The bank does not only hold her name, address, contact data or passport information, but also all her transaction data. In addition the bank also uses a system to predict if Petra may default on her loan. For the prediction the Bank uses information about unpaid bills from a third party provider. The information is actually incorrect, as Petra always paid her bills. All such data is covered by the GDPR, allowing Petra to e.g. use her rights under the GDPR to take action against incorrect information associated with her.}}</blockquote>With regards to the format or medium of the information, data of any type - may it be alphabetical, numerical, (photo)graphical, acoustic - is included. This includes information on paper as well as information stored on a computer in binary form or on tape, such as video surveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions,<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> The GDPR deliberately does not specify the medium or types of information, following a 'tech neutral' approach. | |||
====Relating to==== | |||
The information needs to relate to an individual. In accordance with the WP29,<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. "''where the information, by reason of its <u>content</u>, <u>purpose</u> or <u>effect</u>, is linked to a particular person''".<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref> | |||
The content of the information is ''<nowiki/>'''relating to' a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee.</ref> On the contrary, information relating to a larger group of people without any possibility to single out a individual is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref><blockquote>{{Quote-example|A marketing company's system identifies twenty different groups within the French society. They assign different income levels, spending behaviours, and political views to these groups. This information is not covered by the GDPR. However, once the company assigns Felix's profile to such a group – claiming that he would be conservative, mid-level income, and open to spending his income on travels – this information now relates to Felix and is covered by the GDPR.}}</blockquote>Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref name=":0">''Klar/Kühling/Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4(2) GDPR, margin number 38 (C.H. Beck 2020)</ref> However, when information on objects also concerns individuals, it can relate to them indirectly. For example, the objective value of a house allows others to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Also, Geodata (like GPS data and coordinates) allows others to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Equally, information from satellite images could be used to find out if a person can afford a large property or a swimming pool, provided that the image can be linked to an individual.<ref name=":0" /> This is particularly relevant in the current technological landscape, considering the wealth of information which can be extracted from a growing number of personal devices, wearables and RFID-Chips, especially as these devices become increasingly associated to their owners or users.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref> <blockquote>{{Quote-example|A controller uses unique IDs of smart watches, smart phones and connected cars to collect information about the use of these devices. These devices are all used by a single person, so in fact the use of these devices also 'relate[s] to' a natural person.}}</blockquote>Furthermore, the purpose of the information can determine whether it is 'related to a person', where it is used to change their particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> | |||
==== | ====Identified or identifiable==== | ||
The | The person to which the information relates must also be identified or identifiable. | ||
A person is "identified" when they can be directly distinguished or "singled out" from a larger group of persons, based on the information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This can be achieved through several 'identifiers' listed by [[Article 4 GDPR#1|Article 4(1) GDPR]], such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the Working Party 29 like telephone number, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Note that the name of a person is therefore not necessarily required to identify an individual as there are often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><blockquote>{{Quote-example|A controller holds the phone number of data subjects, but not the names. The users are still 'identified' by that number and the GDPR applies.}}{{Quote-example|Example: 'Ursula Schmidt' is such a generic name, that it may not be identified or even identifiable without additional information or context. 'Ursula von der Leyen' may be so specific that it is identifiably the president of the European Commission.}}</blockquote>A person is "'identifiable' when they have not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> It can be unclear what is still 'identifiable' and what is not anymore. Different people may have different abilities to identify a person, and different contexts or situations may lead to different answers as to the person being identifiable. Recital 26 clarifies that "''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used... either by the controller or by another person to identify the natural person''". | |||
Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from any other entities to identify a person. However, the 'reasonable likeliness' of such information being used by the controller or a third party, narrows the approach. In this regard, Recital 26 adds that in order "''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification... the available technology at the time of the processing and technological developments''". | |||
= | In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual, taking into account the use of state-of-the art tools, available sources, costs, time, and effort requried to identify the individual. The assessment is factual and is not limited to lawful means to identify a person, when it is reasonably likely that an actor could also use unlawful ways to identify a person.<blockquote>In [[CJEU - C-582/14 - Patrick Breyer|C-582/14 ''Breyer'']] the CJEU had to consider if IP addresses enable the identification of a natural person. The IP address is the number under which a computer or smartphone can be reached over the internet. Almost every controller exchanging information with a data subject over the internet will have to use the IP addresses. IP addresses can be dynamic (meaning the number is lost every 24 hours or every time a customer restarts their internet modem) or fixed (which means the number is always associated with the same customer). It may be that such a number is associated with a user account, in which case it becomes personal data. Even if the number itself may not be linkable by a controller, governments but also private entities may have legal powers to access subscriber details in relation to the IP-address. The CJEU found that even in such cases, the IP address can constitute personal data.<ref>CJEU Case C‑582/14, ''Breyer'', 19.10.2016, margin number 49 (available [[CJEU - C-582/14 - Breyer|here]]).</ref> | ||
The person to which the information | {{Quote-CJEU|"[A] dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data [...] in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person."|CJEU - C-582/14 - Breyer|49}}</blockquote>This example from case law shows that many data types may constitute personal data in one situation and not in another situation. Usually controllers and processors cannot, for example, determine if an IP address in their log files is dynamic or fixed. In practice this may mean that controllers or processors choose to treat all IP addresses as if they are personal data, to ensure compliance with the GDPR. | ||
Furthermore, taking the increasing accessibility of information through means such as big data technologies and device fingerprinting into consideration, measures to successfully identify individuals are becoming increasingly effective.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Additionally, because more information is continuously added to individual data sets and stored over a longer period of time, persons are significantly more likely to be identified.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> | |||
==== Natural person==== | |||
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR.</ref> but granted to all natural persons according to Article 8 of the EU Charter of Fundamental Rights ("''Everyone has the right to the protection of personal data concerning him or her''").<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><blockquote>{{Quote-example|third country immigrant entered the EU illegally. Once she arrives she makes a WhatsApp call to inform her family back home that she is safe and is now in the EU. Given that the geographic application of Article 2 GDPR is now triggered, WhatsApp has to grant her all rights under the GDPR - independent of her immigration status or citizenship. This is because the GDPR follows a human rights approach.}}</blockquote>Starting from this definition, national legislators usually limit it from to moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Following up with the GDPR, information relating to deceased persons is then not considered personal data.<ref>See Recital 27 sentence 1 GDPR.</ref> However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional, or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through their relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on [[Article 4 GDPR#13|Article 4(13) GDPR]].<blockquote>{{Quote-example|The health records of a deceased patient are not protected by the GDPR. However, most EU Member States have various rules relating the the use of health data or civil law provisions in relation to the right to privacy that may still cover information of deceased persons.}}</blockquote>As the definition is limited to natural persons, information on legal persons is also generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC].</ref> national data protection laws, or constitutional laws sometimes grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref> Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. This is particularly relevant where the information on a legal person allows one to derive information on a natural person. For example, a company name or mail address may be related to a natural person and therefore constitute personal data. This is especially common for smaller, family run, or one person businesses/enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><blockquote>{{Quote-example|'Marta O'Connel's Plumbing of Limerick Ltd.' is a limited company and not directly considered a 'natural person' under the GDPR. However, the sole owner and manager is Marta O'Connel and there is also no other female plumber in the whole province of Limerick. Therefore, it is easy to identify the natural person behind the legal entity. Information about 'Marta O'Connel's Plumbing Ltd.' going bankrupt therefore clearly also relates to an identifiable natural person and is, as such, covered by the GDPR.}}</blockquote> | |||
====Anonymous data==== | |||
Personal data is often contrasted with 'anonymous' data. Anonymous data is data relating to a person that is not identifiable. The GDPR does not protect such data and controllers or processors are free to use such data (unless there are limits under other applicable law).<blockquote>{{Quote-example|Employees can participate in an internal vote. The ballots are thrown into a ballot box and mixed. The votes are properly anoymized. In a digital system, data can be stored without any linked personal information (like the user IDs). If the remaining information is anoynmous data and not covered by the GDPR.}}</blockquote>In practice, it gets increasingly hard to truly anonymise personal data, especially when data is not very limited and uniform, or can be connected with other available information. New methods and technologies, such as big data analytics and artificial intelligence, are able to match and connect information that humans may not identify as being related.<blockquote>{{Quote-example|In 2006 the internet company AOL released 20 million searches that were entered into its search engine over three months. The searches of users could be connected via an anonymous ID. As many users entered personal information in the search box, the New York Times was able to quickly find the relevant users. AOL deleted the file later, but it was already widely copied.}}</blockquote>Some technical solutions that may be useful or even required under the GDPR (e.g. from a security perspective under [[Article 32 GDPR]] or as a means of data minimisation under [[Article 5 GDPR|Article 5(1)(c) GDPR]]) can get confused with techniques to truly anonymise data. <blockquote>{{Quote-example|A payment provider and an airline strike a cooperation deal. When customers enter an email address during the airline booking process and the payment provider has the same email address in its files, only the payment provider will be shown as a payment option. The airline pays a lower transaction fee in return. To limit the exchange of customer data, they agree to only share 'hashes' of the email, which is a cryptographic fingerprint of the email address. While you cannot regenerate the email address from the hash value, everyone in possession of the email address can calculate the same hash value and see that the hash matches the email address. The technicians tell their Data Protection Officer that they only exchange anonymous data and there are no privacy issues involved. The Data Protection Officer, however, realises that the airline can single out the relevant customers. The data is therefore personal data and the system falls under the GDPR.}}</blockquote> | |||
====Examples of personal data in the CJEU's case law==== | |||
There are a number of data types that were already the subject of CJEU case law: | |||
*Name, date of birth, nationality, gender, ethnicity, religion and language;<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref> | |||
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities;<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref> | |||
*Municipality, information concerning the earned and unearned income and assets of a person;<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref> | |||
*Salaries of employees of a public body;<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref> | |||
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies;<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref> | |||
*Working hours and times, as well as the corresponding breaks and intervals;<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref> | |||
*Telephone numbers, employment and hobbies;<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref> | |||
*Dynamic IP address;<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref> | |||
*Video surveillance;<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref> | |||
* The content of written exams;<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref> | |||
*Fingerprints.<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref> | |||
As always, whether or not data is actually personal data is a matter of context and case-by-case analysis. | |||
=== | ===(2) Processing=== | ||
Processing is another central requirement for the application of the GDPR. It is defined as "''any operation or set of operations which is performed on personal data''". | |||
====Any operation or set of operations==== | |||
The notion of processing is formulated broadly by the GDPR as 'any operation or set of operations'. The inclusion of 'a set of operations' means that, within the GDPR, the word 'processing''<nowiki/>''' may refer to a single processing operation or a set of any number of operations. | |||
* | The term processing is further explained by a list of non-exhaustive examples: | ||
*Collection (targeted procurement of single pieces of data), such as offering online registrations or contact forms;<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).</ref> | |||
* Recording (continuous procurement of data flows), such as operating surveillance cameras or similar sensors; | |||
*Organisation (systematic ordering to enhance access and evaluation of information), such as the allocation of information within databases; | |||
* Structuring (ordering data according to certain criteria), e.g. in numeric or alphabetical order;<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref> | |||
*Storage (saving information to a physical and readable format), such as information on paper, files, disks, drives or cloud servers;<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref> | |||
*Adaptation (adjustments to the content of information according to specific criteria), e.g. updating information on age, address or income;<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref> | |||
*Alteration (changes to the form or content of data), such as corrections, pseudonymisation or anonymisation;<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref> | |||
*Retrieval (accessing stored information), for example loading information to be displayed on a device;<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref> | |||
*Consultation (accessing stored information through targeted searches), such as using search routines to find and display data;<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref> | |||
* Use (catch-all term for all active operations conducted on personal data), e.g. using addresses to deliver orders or mails;<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref> | |||
*Disclosure by transmission ('pushing' information to recipients or other third parties), such as sharing customer information with another company; | |||
*Disclosure by dissemination (untargeted distribution of information to unlimited recipients), e.g. in newspapers, radio or tv broadcasting;<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref> | |||
*Disclosure by otherwise making available (generally any other form of disclosure), such as providing information on websites or search engines;<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref> | |||
*Alignment (comparison of information with other, specific requirements), such as grid investigations or ‘dragnet’ actions; | |||
*Combination (merging information), such as profiling (see also Article 4(4) GDPR);<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref> | |||
*Restriction (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation of information on a website;<ref>Recital 67 GDPR.</ref> | |||
*Erasure (irreversible rendering of information impossible to access), such as overwriting data multiple times;<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref> | |||
*Destruction (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> | |||
The only major exception to the above is where the controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref> | |||
====Performed on personal data==== | |||
To be considered as 'processing' the operation in question has to be performed on personal data. Processing of other data does not fall under the definition. | |||
====Whether or not by automated means ==== | |||
Processing can be carried out by fully automated, semi-automated, or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><blockquote>{{Quote-example|A person manually enters names into a system. The names are processed. The data is then stored and never looked at again. Storage is also processing and needs to comply with the GDPR. After years the hard drive that the data was stored on gets shredded. The destruction equally constitutes processing.}}</blockquote> | |||
===( | ===(3) Restriction of processing=== | ||
Restriction is a specific form of processing. The restriction of processing means neither a complete prohibition to process nor an erasure of personal data, it is best described as a freezing of personal data for a certain period of time. | |||
Usually, restrictions to the processing of personal data occur when the data is not required for the purpose for which it was originally collected, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref> The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<blockquote>{{Quote-example|Greta finds out that a credit ranking agency holds wrong information about her. As a consequence she cannot get a cell phone contract. The credit ranking agency has a huge backlog when correcting data. In the meantime the wrong information can be marked as contested and not used in the system.}}</blockquote> | |||
The | ==== Marking of stored personal data==== | ||
The provision only applies to stored personal data. Personal data that is not at rest do not seem to be subject to a restriction of processing. | |||
Marking the data is usually done by labels in systems or any other similar approach. | |||
====Aim of limiting their processing in the future ==== | |||
The restriction is not just limited to the marking of data, but must have the aim of limiting certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> In practice this means that systems also have to react to the marking and, for example, not include the data in other processing operations anymore. | |||
Obviously the limitation can only have an effect in the future. The fact that the law only requires one to 'aim' for the limitation should not be understood that the limitation must not be fully implemented. | |||
Technically, the restriction is realized through markers on the data in question | ====Implementation==== | ||
Technically, the restriction is realized through markers on the data in question which block it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage system with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref> | |||
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]]. | Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]]. | ||
The | ===(4) Profiling=== | ||
Profiling is a specific form of processing. The concept is used in various provisions of the GDPR such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], or automated decision making, see [[Article 22 GDPR]]. Profiling also triggers information duties under [[Article 13 GDPR|Articles 13(2)(f)]] and [[Article 14 GDPR|14(2)(g)]] GDPR; access rights under [[Article 15 GDPR#1h|Article 15(1)(h) GDPR]]; or the the need to perform data protection impact assessments under [[Article 35 GDPR|Article 35(3)(a) GDPR]]. | |||
=== | ==== Evaluation of personal aspects==== | ||
Profiling is defined as a processing operation with the purpose of evaluating personal aspects of a natural person. | |||
Despite the rather specific general meaning of 'profiling', there is no minimal threshold of how much data must be used to constitute profiling or how personal or sensitive the personal aspects should be. The definition is therefore very broad and includes any way of calculating personal aspects of individuals. | |||
Profiling is typically done by the application of statistical-mathematical measures to personal data that produce analysis of predictions of personal aspects.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref> | |||
==== Automatic processing ==== | |||
Manual review of personal data to evaluate personal aspects does not constitute profiling, as the definition requires 'automated processing'. | |||
====Exemplary list==== | |||
The definition provides a non-exhaustive list over common types of profiling, such as: | |||
*performance at work; | |||
*economic situation; | |||
*health; | |||
*personal preferences; | |||
*interests; | |||
*reliability; | |||
*behaviour; | |||
*location; or | |||
*movements. | |||
Practical examples of 'profiling' are therefore: | |||
*Creating customer preferences based on previous purchases or clicks; | |||
*Maintaining customer profiles for more efficient marketing;<ref>Recital 70 GDPR.</ref> | |||
*Operating systems for credit rating/scoring;<ref>Recital 71 sentence 1 GDPR.</ref> | |||
*Operating e-Recruitment Systems.<ref>Recital 71 sentence 1 GDPR.</ref> | |||
===(5) Pseudonymisation=== | ===(5) Pseudonymisation=== | ||
Pseudonymisation is | Pseudonymisation is a form of processing that alters personal data so that identifying information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. The aim is to reduce risks for the data subjects and help controllers and processors to meet their obligations under the GDPR,<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref> such as data minimisation or as part of a data security concept. | ||
Pseudonymised data is a specific type of personal data and still falls under all relevant provisions of the GDPR. There are however some provisions that refer to pseudoymized personal data and treat it (slightly) different than personal data: | |||
*Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]]); | |||
*Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]]); | |||
*Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]]); | |||
*Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]]); | |||
*Implementing Data Protection by Design and Default ([[Article 25 GDPR]]). | |||
====No longer attributed to a specific data subject==== | |||
In order to count as pseudonymised data, the personal data must be processed in a way that cannot be attributed to specific data subject without the use of additional information. The pseudonymised data set itself, therefore. does not relate to an identified or identifiable person. | |||
==== Additional information permitting attribution==== | |||
Information allowing attribution of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> | |||
====Implementation==== | |||
Examples for the pseudonymisation of personal data include: | Examples for the pseudonymisation of personal data include: | ||
* Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref> | *Replacement of names through ID’s, codes or aliases;<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref> | ||
* Encryption | *Encryption of personal data;<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4(5) GDPR, margin number 9 (C.H. Beck 2020)</ref> | ||
* | *Hashing of personal data.<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref> | ||
====Difference to anonymization==== | |||
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from sentences 3 and 4 of Recital 26 GDPR, considering the cost, time, and available technology required to identify the data subject. However, considering the recent emergence of big data analytics and advanced data processing capabilities, the process of anonymisation is becoming increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> | |||
{{Quote-common-mistake|Pseudonymisation has to be distinguished from anonymisation. Anonymisation is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymised data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore reversible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref>}} | |||
=== (6) Filing system=== | |||
The definition of a 'filing system' is relevant for the application of the GDPR in cases of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]). | |||
====Set of personal data==== | |||
A filing system is characterized through a structured set of personal data. The data can be stored within either single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require the storage of information on multiple persons. Storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref> | |||
====Structured by specific criteria==== | |||
A set of data is only a structured filing system if it is accessible according to specific criteria. The structure of the information must allow a targeted search of personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> For example, when personal data on a particular person is 'retrievable' it already satisfies this requirement.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'', C-25/17, Johovan Todistajat, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref> | |||
====Typical examples==== | |||
Examples are: | |||
*Paper archives, sorted by name, date or any other system; | |||
*Salary lists on employees;<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref> | |||
*Saved letter-correspondence with customers;<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref> | |||
*Covid-19-Guest-Lists sorted by date.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref> | |||
===(7) Controller=== | |||
The controller is the main addressee of obligations under the GDPR. The controller is defined as the body that determines the purposes and means of the processing. This broad definition of the concept of controller is intended to ensure the effective and complete protection of data subjects.<ref>CJEU, Case C-200/23, ''Agentsia po vpisvaniyata,'' 4 October 2024, margin number 72 (available [[CJEU - C-200/23 - Agentsia po vpisvaniyata|here]]).</ref> | |||
====Objective approach==== | |||
The GDPR foresees that the controller must be determined based on the objective facts of the case. This means that mere declarations in contracts, privacy notices and alike do not constitute a binding determination of controllership. The objective approach requires a detailed assessment, but also prevents so-called 'forum shopping' and responsibility shifting. | |||
====Any natural or legal person==== | |||
A controller can be any natural or legal person, public authority, agency or other body. Everyone with legal capacity can be a controller when processing personal data, including individuals, private legal entities, or government entities. It is necessary to assign the determination of purpose and means (see below) to a responsible entity. Departments, individual establishments, or other elements that are not legally independent form one controller together with the legal entity that they belong to.<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 4(7) GDPR, margin number 9 (C.H. Beck 2020), with further references.</ref> | |||
It is after all a matter of national law if, for example, workers councils within a company or individual government entities form a legally separate body or not. If they are legally separate holders of rights and duties, they can form a separate controller. | |||
If a person within the controller acts outside of their assigned capacity and processes personal data for their own purpose, their acts cannot be attributed to the controller and they become their own controller, with their own responsibilities of any processing operation they may undertake.<ref>''Hartung, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4(7) GDPR, margin number 10 (C.H. Beck 2020) </ref><blockquote>{{Quote-example|In Member State 'A' schools are their own legal entity. In Member State 'B' schools are part of the Ministry of Education and are not separate holders of rights. In Member State 'A' the school is typically the controller for processing operations within it, while in Member State 'B' the Ministry is typically the controller. If the computer science teacher in either school decides to use a school server to host his own private software project, the teacher is typically considered a separate controller.}}</blockquote> | |||
=== | ====Determination==== | ||
The | The key element of the controller definition is the focus on the entity making the relevant determinations for any processing activity. The determinations of persons acting on behalf of an entity are attributed to that entity. It is necessary to review which entity, or element within an entity, objectively made determinations about the purpose and means. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> | ||
Merely formal declarations are not relevant. Especially in complex situations where many players are involved in the processing operation, the proper identification of the controller may prove to be complex.<blockquote>{{Quote-example|Company 'A' offers an app to users. The head of the IT department suddenly decides that personal data of users will be processed for the purpose of product improvement and advertisement of the app itself. The CEO of the company does not raise any objections. Company 'A' is the controller for the processing operations and ultimately responsible for complying with the GDPR.}}</blockquote> | |||
====Purposes==== | |||
Personal data may only be processed for a specified, explicit and legitimate purpose (see [[Article 5 GDPR|Article 5(1)(b) GDPR]]). The body that decides over the purpose is typically the controller. The determination of the purpose it the primary element to review when determining controllership.<ref>''Jahnel'', DSGVO, Article 4(7), marginal number 15, (Jan Sramek Verlag 2021)</ref> | |||
====Means==== | |||
The means include the personal data that is processed to achieve the purpose; the duration of the processing; the recipients of personal data; as well as the technical means to process personal data, such as hardware or software.<ref>''Jahnel'', DSGVO, Article 4(7), marginal number 22, (Jan Sramek Verlag 2021)</ref> The controller must only determine the means, but must not control them physically.<blockquote>{{Quote-example|A company uses an external service for statistical analysis. The systems of the external service collect personal data and calculate the results. The company does not even have access to the raw information. Nevertheless, the company has determined the purposes and means of the processing (including the described system) and is hence the controller.}}</blockquote> | |||
====Opening clause for a determination by EU or Member State law==== | |||
Article 4(7) GDPR allows that specific EU or national law (''lex specialis'') may assign the controllership to a certain entity for specific processing operations. Such provisions typically define controllership when private entities act in the public interest or are fulfilling public tasks. The clause also allows Member States to clarify controllership among different public bodies or elements. Such explicit determinations in EU or national law should not be confused with generic national laws that assign certain duties to an entity without determining controllership itself. | |||
In case national law makes such a determination, it should be ascertained whether that law specifies the controller or lays down the criteria applicable to its nomination.<ref>CJEU, Case C-200/23, ''Agentsia po vpisvaniyata,'' 4 October 2024, margin number 73 (available [[CJEU - C-200/23 - Agentsia po vpisvaniyata|here]]).</ref> | |||
{{Quote-CJEU|"It must also be stated that, having regard to the broad definition of the concept of ‘controller’ within the meaning of Article 4(7) of the GDPR, the determination of the purposes and means of the processing and, where appropriate, the nomination of that controller by national law may not only be explicit but also implicit. In the latter case, that determination must nevertheless be derived with sufficient certainty from the role, task and powers conferred on the person or entity concerned [...]"|CJEU - C-200/23 - Agentsia po vpisvaniyata|74.}} | |||
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co controllership’ | ====Joint controllership==== | ||
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co-controllership’ the entities have to determine their respective responsibilities for the processing within an agreement according to [[Article 26 GDPR]]. Important, however, is utlimately the factual influence on the processing of the personal data<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> (see Recital 79 GDPR). In this regard, the participation and influence on the purpose and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref> | |||
For example, a joint controllership is assumed between | For example, a joint controllership is assumed between: | ||
* Search- | *Search-Engine-Operators and the websites on which information is structured, presented and complemented with advertisements within search results;<ref>''CJEU'', C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 here]), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.</ref> | ||
* Facebook and | *Facebook and the entity administering pages on the social network;<ref>''CJEU'', C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available [https://curia.europa.eu/juris/liste.jsf?num=C-210/16 here]), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.</ref> | ||
* | *Websites that integrated elements of a third-party controller, such as a ‘Like Button’.<ref>''CJEU'', C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-40/17 here]), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.</ref> | ||
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller | In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller, as required by [[Article 26 GDPR]].<blockquote><u>EDPB Guidelines:</u> On this provision there are the [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en Guidelines 07/2020 on the concepts of controller and processor in the GDPR]</blockquote> | ||
===(8) Processor=== | ===(8) Processor=== | ||
In practice most controllers do not process all their personal data themselves, but use various external providers, such as hosting providers, SaaS providers or so-called 'Cloud' providers, that process data on their behalf. The GDPR regulates these 'processors', as well as the interplay between the controller and the processor. | |||
Once an entity qualifies as a 'processor', many provisions of the GDPR apply, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of additional relevance is [[Article 28 GDPR]], that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on [[Article 28 GDPR|Article 28(3) GDPR]]. | |||
It should be noted that this definition includes the initial processor engaged directly by a controller as well as sub-processors along the processing chain (processors engaged by another processor).<ref>EDPB, 'Opinion 22/2024 on certain obligations following from the reliance on processor(s) and sub-processor(s)', 7 October 2024, margin number 17 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_opinion_202422_relianceonprocessors-sub-processors_en.pdf here]).</ref> | |||
====Any natural or legal person==== | |||
Just like a controller, a processor can be any natural person, legal person, public authority, agency, or body. Internal units that process personal data on behalf of another department within the same legal entity (e.g. an IT department) are not processors, but are part of the controller. | |||
====Processing on behalf of the controller ==== | |||
The most important distinction is that, unlike the controller, the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref> | |||
A special form of the processor is the | ====Sub-Processors==== | ||
A special form of the processor is the 'sub-processor'. This is another processor, that is engaged by the processor. In theory there can be any number of sub-sub-processors. In practice such setups are very hard to manage for a controller. For further information see the commentary on [[Article 28 GDPR|Article 28(2) and (4) GDPR]]. | |||
====Distinction to a (joint) controller==== | |||
In practice major IT companies (usually 'processors') are often more in control of processing operations than their commercial customers (usually 'controllers'). They usually offer a standard product with very specific terms and conditions, while many controllers may not. Therefore, it can be difficult to distinguish a 'joint controller' or 'co-controller' from a processor. | |||
====Roles are specific for each processing operation==== | |||
Usually each processor also conducts processing operations where it is itself the controller. This is also the case whenever the processor acts against the orders of the controller and processes personal data for further purposes. In all these situations, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref> | |||
====Exemplary list==== | |||
In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> provides some references as examples of controller-processor relationships: | |||
*Outsourcing of call centers for customer communications;<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> | |||
*Outsourcing of mail services;<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> | |||
*Cloud Hosting and grid computing;<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]) and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).</ref> | |||
* A separate entity specialized in data processing within a group of companies.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref> | |||
<blockquote><u>EDPB Guidelines:</u> On this provision there are the [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en Guidelines 07/2020 on the concepts of controller and processor in the GDPR]</blockquote> | |||
===(9) Recipient=== | ===(9) Recipient=== | ||
The 'recipient' is an umbrella term and defined as anybody (like controllers, processors, third parties) to whom personal data is disclosed to. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]).</ref> The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,<ref>More precise, [[Article 13 GDPR|Article 13(1)(e) GDPR]], [[Article 14 GDPR|Article 14(1)(e) GDPR]], [[Article 15 GDPR|Article 15(1)(c) GDPR]].</ref> the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind this is that the controller, whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).</ref> Listing the recipients ensures that the data subject is fully informed as to the whereabouts of their personal data. | |||
====Any natural or legal person==== | |||
Just like a controller or processor, a recipient can be any natural person, legal person, public authority, agency, or body. On the other hand, particular units within a company, such as the staff council or dependent establishments of the controller, are not considered recipients.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).</ref> | |||
====Disclosure==== | |||
The core element of the definition is the 'disclosure' of personal data. This includes any voluntary act of data sharing, including transmission, dissemination or otherwise making available (see Article 4(2) GDPR).<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4(9) GDPR, margin number 6 (C.H. Beck 2020)</ref> | |||
====Processors==== | |||
There is an ongoing discussion as to whether a 'processor' can also be considered a 'recipient'. On the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.<ref>See Article 4(8) GDPR and Article 4(10) GDPR.</ref> However, the concept of the recipient is completely independent of the third-party.<ref>See Article 4(9) GDPR, “whether a third party or not“.</ref> With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, [[Article 28 GDPR]] does not relieve the controller to inform the data subjects about its processors as recipients according to [[Article 13 GDPR|Article 13 to 15 GDPR]].<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).</ref> | |||
====Exception for public authorities==== | |||
Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref> | Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref> | ||
===(10) Third party=== | ===(10) Third Party=== | ||
The term 'third party' is used to describe anyone other than the data subject. This notion becomes relevant mostly in terms of evaluating interests, such as in Article 6 (1)(f) GDPR.<ref>See also [[Article 13 GDPR|Article 13(1)(d) GDPR]], [[Article 14 GDPR|Article 14(2)(b) GDPR]].</ref> | |||
===(11) Consent=== | |||
====Negative definition==== | |||
===(12) Personal data breach === | 'Third party' constitutes a negative definition, as any natural or legal person, public authority, agency, or body different from: | ||
*the data subject; | |||
* controller; | |||
* processors; or | |||
* any other person authorized to process personal data by the controller. | |||
====Dynamic classification of third parties==== | |||
While an entity may be a third party may from the perspective a given controller, it may itself be a controller or processor for any processing operation it conducts itself. The notion of a 'third party' is therefore not absolute, but based on the circumstances of a certain processing operation. | |||
====Typical cases==== | |||
Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).</ref> Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).</ref> Similarly, internal staff of the controller are not a third parties, unless the employee uses personal data for their own purposes outside of the employment context.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).</ref> In this case, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).</ref><blockquote><u>EDPB Guidelines:</u> On this provision there are the [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en Guidelines 07/2020 on the concepts of controller and processor in the GDPR]</blockquote> | |||
===(11) Consent === | |||
Consent is one of the legal basis mentioned under Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data. | |||
The requirements for consent require a joint reading of Articles 4(11), 6(1)(a), 7 and 8 GDPR. | |||
*For the definition of 'consent', see the more commentary under [[Article 6 GDPR|Article 6(1)(a) GDPR]] and [[Article 7 GDPR]]. | |||
*For the definition of 'explicit consent', see the commentary under [[Article 9 GDPR|Article 9(2)(a) GDPR]]. | |||
<blockquote><u>EDPB Guidelines:</u> on this provision there are [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en EDPB Guidelines 05/2020 on consent under Regulation 2016/679]</blockquote> | |||
===(12) Personal data breach=== | |||
The definition of 'personal data breach' is relevant for the notification duties under [[Article 33 GDPR|Articles 33]] and [[Article 34 GDPR|34]] GDPR. | |||
====Breach of security==== | |||
The definition of a data breach requires a security breach, such as a failure of technical or organisational safeguards implemented by the controller according to [[Article 32 GDPR]]. | |||
====Accidental or unlawful==== | |||
These failures can either be caused by accident (e.g. through mishandling of personal data by the controller, employees and alike) or by unlawful acts (e.g. targeted attacks, hacking or a physical break in).<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).</ref> | |||
====Destruction, loss, alteration, unauthorised disclosure, or access==== | |||
As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref> | |||
Although the transmission and storage of data are explicitly highlighted, any type of processing the concerned data is sufficient.<ref>Wording: “otherwise processed”.</ref> | |||
====Typical cases==== | |||
Some examples for personal data breaches are: | |||
* Hacking-attacks on systems involving personal data;<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref> | |||
*Missing access protection to data storages or buildings;<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref> | |||
*Sending data to unintended recipients;<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref> | |||
*Employees unlawfully distributing data to third parties;<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 180 (Nomos 2018).</ref> | |||
*Accidentally publishing or leaking data on website;<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref> | |||
*Loss of physical data carriers;<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref> | |||
*Destruction of data storing infrastructure;<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref> | |||
*Unrestorable encryption through Ransomware;<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref> | |||
*Unlocked storage of employee files,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref>accidental or unlawful. | |||
===(13) Genetic data=== | ===(13) Genetic data=== | ||
‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions on growth, metabolism, appearance, disease or alike, both already existent or emerging in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin numbers 106, 108 (Carl Heymanns Verlag 2018).</ref> Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA), or ribonucleic acid (RNA) analyses. | |||
The classification of genetic data is becoming relevant in terms of [[Article 9 GDPR|Article 9(1) GDPR]], which only allows its processing under strict requirements.<ref>Additionally, member states may maintain or introduce further conditions and limitations for the processing of genetic data, [[Article 9 GDPR|Article 9(4) GDPR]].</ref> This is due to the sensitive character of such data, allowing a unique identification of the data subject and, at the same time, revealing personal health data<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017).</ref> on them and biological relatives.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017); ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 182 (Nomos 2018).</ref> Especially in terms of heritage diseases, genetic data carries a high risk of abuse in terms of employment and insurance.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 96 (C.H. Beck 2018).</ref> | |||
===(14) Biometric data=== | ===(14) Biometric data=== | ||
‘Biometric data’ means data referring to the physical, physiological and behavioural characteristics of a natural person obtained from specific technical processing allowing for a unique identification. While this generally includes any means to analyse and measure the characteristics of humans,<ref>Usually through the creation of referential patterns that are than compared with the data subject later for unique identification, see ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 183 (Nomos 2018).</ref> the technical processing and unique identification requirements place higher burdens. | |||
===(15) Data concerning health=== | |||
The definition itself uses facial images and fingerprints<ref>Also called 'Dactyloscopic data'.</ref> as examples for biometric data. However, the requirement for specific technical processing ensures that simple pictures or even passport photographs shall not be considered as such.<ref>Recital 51 GDPR, “''The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person''”.</ref> Although, further processing through the application of facial recognition software would qualify the extracted information as biometric data. In this regard: IRIS Scanners; DNS-Comparisons; voice or gait pattern analyses;<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> as well as typing patterns or even handwritten signatures,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 111 (Carl Heymanns Verlag 2018).</ref> may be considered as biometric data. | |||
Other data that does not allow an unique identification, such as body size or blood type, may not be considered biometric data.<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> However, these could then fall under the definition of ‘health data’ that offers similar protection to that afforded to biometric data, according to [[Article 9 GDPR|Article 9(1) GDPR]]. | |||
===(15) Data concerning health === | |||
‘Data concerning health’, or simply ‘health data’, means any data related to the physical or mental health of a natural person, especially the procurement of health care services revealing such information. According to Recital 35 GDPR, these include all data referring to the health status of the data subject from the past, present or future. In this regard, any information on diseases, risks and disabilities - in addition to medical treatment and history - of a particular natural person explicitly qualifies as health data.<ref>Recital 35 sentence 2 GDPR.</ref> | |||
Examples for health data includes information about: | |||
*Addictions to alcohol, drugs or medications as well as the participation in self-help groups;<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref> | |||
*Hospitalizations, sick notes and sick payments;<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref> | |||
*Information the physical or mental invalidity to work;<ref>''Petri'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 15 GDPR, margin number 5 (NOMOS 2019).</ref> | |||
*Data from health or fitness apps on eating or movement patterns, for example from wearables and smartphones.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 118 (Carl Heymanns Verlag 2018).</ref> | |||
The notion of health data is therefore broader than ‘medicinal data’.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 59 (Deutscher Fachverlag 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018).</ref> Furthermore, it strongly overlaps with the notions of genetic and biometric data,<ref>See Recital 35, “''Personal data concerning health should include […] information derived from the testing or examination of one’s body, substances, such as genetic and biological samples''”.</ref> in order to allow a seamless and high level of protection within the scope of [[Article 9 GDPR]].<ref>However, in some cases (e.g. the public health sector) sensitive data can be necessary to be processed without the data subjects consent, see Recital 54 GDPR.</ref> For further information, please check the commentary on [[Article 9 GDPR]].<blockquote><u>EDPB Guidelines:</u> on this provision there are [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032020-processing-data-concerning-health-purpose_en EDPB Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak]</blockquote> | |||
===(16) Main establishment=== | ===(16) Main establishment=== | ||
If a controller or a processor have establishments in more than one member state, identifying its 'main establishment' is the first step to recognising the lead supervisory authority in a cross-border procedure under [[Article 56 GDPR]]. | |||
===(17) Representative=== | |||
====Objective criteria==== | |||
The main establishment of an entity must be determined according to objective criteria.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> As the main establishment determines the relevant supervisory authority, the Working Party 29 stressed that the GDPR does not permit 'forum shopping' and conclusions cannot be based solely on statements by the controller or processor. The controller or processor’s analysis can be overturned based on an objective examination of the relevant facts.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> | |||
====(a) Main establishment of a controller==== | |||
=====General rule: central administration===== | |||
As a general rule, the main establishment of a controller should be the place of its central administration in the Union, or in other words, "''the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented''".<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 5 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> | |||
Recital 22 GDPR defines an establishment as "''the effective and real exercise of activity through stable arrangements''". The legal form of such arrangements is irrelevant. According to [[CJEU - C‑230/14 - Weltimmo|C-230/14 - ''Weltimmo'']], an establishment depends on "''both the degree of stability of the arrangements and the effective exercise of activities in that other Member State [which] must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned".''<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 29 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref> In this regard, merely the presence of a single representative can constitute a stable arrangement, when they are acting with a sufficient degree of stability and have the necessary equipment to provide the specific services in the member states concerned.<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 30 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref> | |||
=====Exception: processing decisions in another establishment===== | |||
If a controller’s main establishment is not the place of its central administration in the EU, the exception to the general rules kicks in. In this case it is necessary to determine the establishment based on where the effective and real exercise of main decisions on the purposes and means of processing take place.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 6 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> It should depend neither on the place of the processing nor the use of technical means and technologies for processing personal data or processing activities. Instead, to determine the controller’s main establishment the Working Party 29 developed several guiding questions:<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> | |||
*Where are decisions about the purposes and means of the finally signed off’? | |||
* Where are decisions about business activities that involve data processing made? | |||
*Where does the power to have decisions implemented effectively lie? | |||
*Where is the Director with responsibility for cross border processing located? | |||
*Where is the controller or processor registered as a company? | |||
====(b) Main establishment of a processor ==== | |||
=====Central administration===== | |||
Similarly to the rules for controllers, the main establishment of a processor located in multiple member states shall also be the place of its central administration. | |||
See above for details on determining the central administration. | |||
=====No central administration===== | |||
However, when there is no central administration in the Union, the rules applying to processors are formulated differently. In such cases, the main establishment of a processor is where the main processing activities take place in a Union’s establishment subject to the obligations under GDPR. This implies that the processing of personal data does not need to be carried out by the relevant establishment itself, but only in in the context of its activities within the scope of the GDPR.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 235 (Oxford University Press 2020).</ref> | |||
The meaning of 'the context of activities' has already been specified in [[CJEU - C‑131/12 - Google Spain|C-131/12 - ''Google Spain'']]. The CJEU build on a broad definition of 'establishment' and clarified that merely the intention of a member state’s establishment to provide advertisement space for a third country undertaking constitutes processing of personal data in the context of the Union’s establishment.<ref>CJEU, C-131/12, Google Spain, 13 May 2014, margin number 55 (available [https://curia.europa.eu/juris/liste.jsf?num=c-131/12 here]).</ref> | |||
Following up on the CJEU judgement, the Working Party 29 specified that EU law may apply to data processing activities of controllers or processors established outside the EU "''even if the local establishment is not actually taking any role in the data processing itself''".<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref> This reasoning can be based on an "''inextricable link''" between activities of an establishment in the EU and data processing by a non-EU controller or processor.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref> | |||
====Cases involving both the controller and the processor==== | |||
Recital 36 GDPR explains that "''in cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment''". This is not reflected in the text of the relevant Articles. | |||
For details see the commentary on [[Article 56 GDPR]]. | |||
===(17) Representative === | |||
Where a controller or a processor not established in the Union falls under the territorial scope of [[Article 3 GDPR|Article 3(2) GDPR]] due to processing activities related to data subjects in the Union, it must, in accordance with [[Article 27 GDPR]], appoint a representative in the EU. Representatives are any legal or natural persons established in the union, designated by a controller or processor. | |||
For more details and exceptions to the obligation to designate a representative see the commentary on [[Article 27 GDPR]]. | |||
===(18) Enterprise=== | ===(18) Enterprise=== | ||
An 'enterprise’ means any natural or legal person, partnerships or associations regularly engaged in economic activities. With this definition, the GDPR introduced a broad concept of an enterprise, irrespective of their size, legal form or interests pursued.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 127 (Carl Heymanns Verlag 2018).</ref> An enterprise requires a regular engagement in economic activities, which means activities intended to be carried out over a a long-term and not only in an occasional manner.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 129 (Carl Heymanns Verlag 2018).</ref> Being a 'small [or] medium enterprise' is a precondition for the waiver of the duties under of [[Article 30 GDPR|Articles 30(5) GDPR]]. | |||
While the English version of the GDPR distinguishes between the ‘enterprise’ and ‘undertaking’ other language versions merged both into a single notion (like 'Unternehmen' in German or 'entreprise' in French).<ref>For example, in German ("Unternehmen"), in French ("entreprise") and in Spanish ("empresa").</ref> This caused confusion around the assessment of fines according to [[Article 83 GDPR]], which by English language refers to the term of undertaking in accordance with [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:12012E/TXT&from=EN#page=42 Articles 101, 102 TFEU] and thereby not to the definition of Article 4(18) GDPR.<ref>See Recital 150 sentence 3 GDPR.</ref> The broader definition of an 'undertaking', which includes parent companies and all subsidiaries, leads to higher fines for such structures, when the fine is calculated based on the global turnover. | |||
===(19) Group of undertakings=== | ===(19) Group of undertakings=== | ||
A group of undertakings consists of a leading ('controlling') entity and one or more thereof dependent ('controlled') entities.<ref>Recital 37 sentence 1 GDPR.</ref> The central characteristic for a group of undertakings is therefore, that one entity exerts a dominant influence over the others, for example through ownership or financial participation.<ref>Recital 37 sentence 1 GDPR.</ref> This is usually the case between a holding company and their subsidiaries.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 58 (C.H. Beck 2017).</ref> In this regard, the mere possibility of exercising control over the the other entity is sufficient, a real exercise of such control is not necessary.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 76 (ottoschmidt 2018).</ref> As long as one entity has the factual power to assert its will over the other entities,<ref>For example through to have personal data protection rules implemented; see Recital 37 sentence 1 GDPR.</ref> they qualify as group of undertakings.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 78 (ottoschmidt 2018).</ref> | |||
Two undertakings are sufficient to form a group.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 80 (ottoschmidt 2018).</ref> However, a controller giving mere instructions to a processor regarding the processing of personal data does not qualify as a group of undertakings.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 221 (Nomos 2018).</ref> | |||
The classification as a group of undertakings becomes relevant for several provision across the GDPR, such as | |||
*The joint designation of a Data Protection Officer ([[Article 37 GDPR|Article 37(2) GDPR]]); | |||
*The formulation of binding corporate rules (Article 4(20) GDPR, [[Article 47 GDPR]]); | |||
*The data transfer for internal administrative purposes ([[Article 6 GDPR|Article 6(1)(f) GDPR]]) with Recital 48 GDPR);<ref>''Pötters/Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 70 (Deutscher Fachverlag 2018), as “''group privilege light''”.</ref> | |||
*The determination of the main establishment (Article 4(16) GDPR, Recital 22 GDPR). | |||
However, the notion is to be distinguished from a "''group of enterprises engaged in a joint economic activity''" who can jointly use binding corporate rules under [[Article 47 GDPR]]. These consist of separate and independent entities, which do not exercise control over each other,<ref>''Feiler, Forgó,'' EU-DSGVO, Article 4 GDPR, margin number 49 (Verlag Österreich 2017).</ref> and therefore cannot designate a single Data Protection Officer or rely on internal administrative data transfers. | |||
===(20) Binding corporate rules=== | ===(20) Binding corporate rules=== | ||
Binding corporate rules (short ‘''BCR''’) are data protection policies formulated by controllers or processors established in the Union for transfers of personal data to entities within their group that are established outside the Union. In this regard, binding corporate rules constitute a legal basis to transfer personal data to third countries without an adequacy decision.<ref>See [[Article 46 GDPR|Article 46(2)(b) GDPR]].</ref> However, they only apply to intra-corporate transfers, i.e. between entities of the concerned group of undertakings or enterprises. Transfers to entities outside of these groups are not covered by binding corporate rules. | |||
For more information on the requirements and the approval procedure of binding corporate rules, see the commentary on [[Article 47 GDPR]]. | |||
===(21) Supervisory authority=== | ===(21) Supervisory authority=== | ||
Supervisory Authorities ('SAs') or, colloquially, 'Data Protection Authorities' ('DPAs') are the independent public authorities responsible for monitoring the application of the GDPR under [[Article 51 GDPR]]. Member States can decide to provide only one or multiple supervisory authorities, to reflect their constitutional, organisational and administrative structure.<ref>Recital 117 GDPR.</ref> <blockquote>{{Quote-example|Austria, France and Ireland have a single supervisory authority for enforcing the GDPR. While the Irish and French supervisory authorities are also in charge of enforcing the ePrivacy Directive 2002/58/EC (Austria gave this power to the Telecoms Regulator). Germany has a federal supervisory authority and at least one authority for each of the sixteen German states. Some states have more than one authority, for different types of controllers.}}</blockquote>Supervisory authorities act independently (see [[Article 52 GDPR]]) and shall be provided with various competencies ([[Article 55 GDPR|Articles 55, 56 GDPR]]), tasks ([[Article 57 GDPR]]) and powers ([[Article 58 GDPR]]). For further information, see the particular commentary on the named articles. | |||
===(22) Supervisory authority concerned=== | ===(22) Supervisory authority concerned=== | ||
Only 'supervisory authorities concerned' have certain roles in the cooperation procedure under [[Article 60 GDPR|Articles 60]] to [[Article 66 GDPR|66]] GDPR. Other supervisory authorities may not participate in the relevant procedures. Qualifying a supervisory authority as ‘concerned’ can result out of three situations as laid out by Article 4(22) GDPR: | |||
*For a controller or processor, when it is established in a member state of a supervisory authority, | |||
*for a data subject, when it is residing in the member state of a supervisory authority (likely) substantially affected by the processing of personal data, or | |||
*where a complaint has been lodged with that supervisory authority. | |||
==== Controller or processor establishment==== | |||
The DPA is concerned when a controller or processor is established in its jurisdiction. This implies any effective and real exercise of activity through stable arrangements,<ref>See Recital 22 sentence 2 GDPR.</ref> independent of the form of such arrangements of an actual branch or subsidiary within the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 275 (Oxford University Press 2020).</ref> This broad understanding is fostered by the EUCJ, including any real and effective activity exercised through stable agreements independently of their formalistic approach as an establishment.<ref>EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.</ref> | |||
==== (Likely) Substantial affection of the data subject==== | |||
A substantial affection, although not being further specified from the GDPR, indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 276 (Oxford University Press 2020).</ref> On the contrary, merely the likelihood of such an impact is sufficient, and an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.<ref>For a list of relevant criteria, see ''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).</ref> In any case, this requires the data subject to reside in the member state of the DPA and therefore to have at least stable links to the state as its permanent habitual centre.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).</ref> | |||
====Filing a complaint with the supervisory authority==== | |||
Filing a complaint with a particular supervisory authority makes them a ‘concerned’ authority. Since complaints can also be filed with DPAs different from where the data subject resides,<ref>See Recital 124 sentence 3 GDPR.</ref> the supervisory authority can possibly be 'concerned' without the data subject having a residence within the EU or any (likely) substantial affection. For further information on filing a complaint with a supervisory authority, see the commentary on [[Article 77 GDPR]]. | |||
===(23) Cross-border processing=== | ===(23) Cross-border processing=== | ||
The definition of 'cross-border processing' is not intuitive, as not every form of cross-border processing is 'cross-border' under the GDPR. The limited definition in turn limits the application of the ‘one-stop-shop’ system, which is further described within the commentary of [[Article 56 GDPR]]. | |||
====(a) Processing in the context of establishments within multiple Member States==== | |||
The notion of establishment is again to be interpreted broadly. It is any effective and real exercise of activities through stable arrangements,<ref>See Recital 22 sentence 2 GDPR.</ref> independent of the formal declarations as a branch or subsidiary within the Union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 282 (Oxford University Press 2020); and again EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.</ref> Furthermore, the processing is not required to be carried out within the establishment itself, but can also happen in the context of its activities. If the establishment in the EU is not directly processing the personal data, an extricable link between the activities of the establishment and the processing is already sufficient.<ref>Google, EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 53, 56; EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 25.</ref> Only remote links to the processing in question may not involve another entity and therefore not form a ‘cross border processing’.<ref>For example, some commercial activity may be too far removed from the processing of personal data by an entity to bring the data processing non-EU entity within the scope of EU data protection law, see ''EDPB'', Guidelines 3/2018 on the territorial scope of the GDPR, 12 November 2019, p. 7 f. (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref> | |||
====(b) Processing (likely) to substantially affect data subject in multiple Member States==== | |||
A substantial affection, again indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 284 (Oxford University Press 2020).</ref> In this regard, the mere likelihood of such an impact is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case by case basis.<ref>For a list of relevant criteria, see ''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 285 (Oxford University Press 2020).</ref> | |||
===(24) Relevant and reasoned objection=== | ===(24) Relevant and reasoned objection=== | ||
A ‘relevant and reasoned objection’ is an objection by a supervisory authority concerned<ref>See Article 4(22) GDPR.</ref> to a draft decision provided by a lead supervisory authority.<ref>See [[Article 56 GDPR]].</ref> When such an objection is submitted by the supervisory authorities concerned, the lead supervisory authority can either follow the objection (see [[Article 60 GDPR|Article 60(4) GDPR]]) or submit the matter to the EDPB (see [[Article 65 GDPR|Article 65(4) GDPR]]). | |||
===(25) Information society service === | |||
In order to limit objections by other supervisory authorities,<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 289 f. (Oxford University Press 2020).</ref> Article 4(24) GDPR introduces a threshold to such objections being ‘relevant’ and ‘reasoned’. They must also 'clearly demonstrate' the 'significant risks' posed by the draft decision,<ref>Especially regarding the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union, see Article 4(24) GDPR.</ref> either for the fundamental rights and freedoms of data subjects or the free flow of personal data within the Union. As a consequence, it is not enough for a concerned supervisory authority to just raise a concern that a draft decision by the lead supervisory authority is unlawful. | |||
For details see the commentary on [[Article 60 GDPR|Articles 60]] and [[Article 65 GDPR|65]] GDPR. | |||
=== (25) Information society service === | |||
For the definition on ‘''information society service''’ the GDPR refers to Article 1(1)(b) of [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN#page=3 Directive (EU) 2015/1535]. The classification as information society service becomes relevant in several contexts of the GDPR, such as children’s consent (see [[Article 8 GDPR|Article 8(1) GDPR]]) or the right to object (see [[Article 21 GDPR|Article 21(5) GDPR]]). | |||
====At a distance==== | |||
‘At a distance’ means that the service is provided without the parties being simultaneously present.<ref>Article 1(1)(b)(i) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> Thus, even when using electronic means, services provided within the physical presence of the recipient to the provider do not fall within this definition.<ref>For example, surgeries making use of electronic equipment, electronic catalogues or ticket reservations within a shop, electronic video arcade games, see Annex I(1.) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> | |||
====Electronic means==== | |||
‘By electronic means’ requires that the service is entirely sent and received via electronic equipment for the processing and storage of data, for example, through being transmitted by wire, radio, optical or other electromagnetic means.<ref>Article 1(1)(b)(ii) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> While offline services are excluded from this definition,<ref>See also see Annex I(2.) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> composite services such as the selling of goods, advertising and gaming do qualify as such.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 298 (Oxford University Press 2020); and WP29, Guidelines on consent under Regulation 2016/679, WP259 rev.01, 10 April 2018, p. 24 (available [https://ec.europa.eu/newsroom/article29/redirection/document/51030 here]).</ref> | |||
====Individual request==== | |||
An ‘individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.<ref>Article 1(1)(b)(iii) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> Services transmitting data to an unlimited number of individuals without their individual demand, such as radio broadcasting, television, and teletext are therefore not covered.<ref>See Annex I(3.) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> On the contrary, video-on-demand or pay-per-view services do qualify as information society services.<ref>EUCJ, C-89/04, Mediakabel, 2 June 2005, margin numbers 38-39 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-89/04 here]).</ref> | |||
====Typical cases==== | |||
Accordingly, most online services encountered nowadays fulfill the criteria of an information society service. Typical example are:<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 301 (Oxford University Press 2020).</ref> | |||
*Online legal or health services; | |||
*Online libraries or newspapers; | |||
*Online shopping and booking services; | |||
*Online media-platforms or video games; | |||
*Online search engines and web browsers. | |||
===(26) International organisation=== | ===(26) International organisation=== | ||
An ‘international organisation’ means any organisation or subordinate bodies of such, which are governed either by public international law or set up by an agreement between two or more countries. The classification as international organisation is relevant in terms of the additional rules placed on data transfers, according to [[Article 44 GDPR|Articles 44-50 GDPR]]. While the Data Protection Directive only regulated data flows to third party countries, the GDPR now extends the applicability of these rules to international organisations as as well.<ref>See ''Schröder'', in Kühling, Buchner, DS-GVO BDSG, Article 4 26 GDPR, margin number 2 (C.H. Beck 2020).</ref> For more information on the principles and additional safeguards placed on such transfers, please see the commentary on [[Article 45 GDPR|Articles 45-49 GDPR]]. | |||
While there is no universally accepted or further specified definition of the term coming from the GDPR, the overall definition from the Vienna Convention on the Law of Treaties from 1969,<ref>Available [https://legal.un.org/ilc/texts/instruments/english/conventions/1_1_1969.pdf here].</ref> serves as a source of inspiration for interpreting EU law according to the CJEU.<ref>CJEU, C-386/08, Brita, 25 February 2010, margin number 42 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=72406&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=2557504 here]); see also ''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 305 (Oxford University Press 2020).</ref> However, Article 2(1)(i) of the [https://legal.un.org/ilc/texts/instruments/english/conventions/1_1_1969.pdf Convention] defines international organisation as ‘intergovernmental organisation’, thereby failing to deliver a more specific definition. Moreover, since both options to reach an international organization, either through public international law or multilateral agreements, are not further delineated by the GDPR, a broad and flexible approach to the term is suggested.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 305 (Oxford University Press 2020).</ref> | |||
In this regard, most organizations, such as the United Nations (UN), the International Telecommunications Union (ITU), the World Trade Organization (WTO) as well as Interpol and Europol shall fall under the term.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p.306 (Oxford University Press 2020).</ref> However, these examples are not exhaustive and can be infinitely extended to other Internationals Organizations. Only NGOs, which are usually non-governmental organisations established as private initiatives and governed by domestic member state law, may not qualify as such.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 307 (Oxford University Press 2020).</ref> | |||
==Decisions== | ==Decisions== |
Latest revision as of 11:58, 14 November 2024
Legal Text
For the purposes of this Regulation:
1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3. ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
4. ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
5. ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
6. ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
7. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
8. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
9. ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
10. ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
11. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
12. ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
13. ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
14. ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
15. ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
16. ‘main establishment’ means:
- (a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;
- (b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;
17. ‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;
18. ‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
19. ‘group of undertakings’ means a controlling undertaking and its controlled undertakings;
20. ‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;
21. ‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;
22. ‘supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because:
- (a) the controller or processor is established on the territory of the Member State of that supervisory authority;
- (b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
- (c) a complaint has been lodged with that supervisory authority;
23. ‘cross-border processing’ means either:
- (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
- (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
24. ‘relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;
25. ‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;
26. ‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
Relevant Recitals
Commentary
Article 4 GDPR provides a list of definitions used to further specify relevant terms used throughout the GDPR.
Some definitions are taken from the preceding Directive 95/46/EC, allowing an understanding to build upon the already existing terms. Other definitions, however, are newly introduced, modified, or complemented with additional elements, and therefore require a new interpretation.
(1) Personal data
The principal concept of the GDPR is that of ‘personal data’, as the Regulation only applies to personal data and refers to it throughout the text of the GDPR.
Its definition developed from a previously existing definition under Article 2 (a) Directive 95/46/EC.[1] The Directive itself derives the definition from Article 2 (a) Convention 108,[2] according to which "personal data means any information relating to an identified or identifiable individual".
The definition can be divided into the following four requirements: (1) ‘any information’; (2) ‘relating to’; (3) ‘an identified or identifiable’; (4) 'individual'. The fulfilment of all of these aspects is required in order to satisfy the notion of personal data.
Any information
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.
In this regard, the German Constitutional Court already in 1983 stated that "Under the conditions of automatic data processing, there is no longer meaningless data."[3] This position is supported by the Commission, stating that "any item of data relating to an individual, harmless though it may seem, may be sensitive",[4] thereby also following the wish of the Council to keep the definition as general as possible.[5] Equally, the European Court of Human Rights stated that “private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”.[6]
Accordingly, personal data includes any information, no matter if it relates to the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.[7]
For example: Petra is keeping various information on her smartphone. This includes information that she does not seem to treat as private, as she even shares them online on widely available platforms, with her name attached, but there is also information about her love and sex life in chats, that she clearly feels are very private. In addition she keeps data in relation to her job as an independent contractor on her phone. The GDPR covers all such information - no matter if the information is trivial or extremely sensitive, private or related to her business.
The information can either be 'objective' such as unchangeable characteristics of a data subject as well as 'subjective' in the form of opinions or assessments.[8] It is thereby not necessary for the information to be true, proven or complete.[9] This means that also mere likeliness, predictions or planning information is covered by the GDPR, as long as it relates to a person.
For example: Petra is also customer of a bank with a private and a commercial bank account. The bank does not only hold her name, address, contact data or passport information, but also all her transaction data. In addition the bank also uses a system to predict if Petra may default on her loan. For the prediction the Bank uses information about unpaid bills from a third party provider. The information is actually incorrect, as Petra always paid her bills. All such data is covered by the GDPR, allowing Petra to e.g. use her rights under the GDPR to take action against incorrect information associated with her.
With regards to the format or medium of the information, data of any type - may it be alphabetical, numerical, (photo)graphical, acoustic - is included. This includes information on paper as well as information stored on a computer in binary form or on tape, such as video surveillance,[10] telebanking,[11] medical prescriptions,[12] or even child's drawings.[13] The GDPR deliberately does not specify the medium or types of information, following a 'tech neutral' approach.
Relating to
The information needs to relate to an individual. In accordance with the WP29,[14] the CJEU assesses this requirement based on three different criteria, i.e. "where the information, by reason of its content, purpose or effect, is linked to a particular person".[15]
The content of the information is 'relating to' a person when it is about a particular individual.[16] On the contrary, information relating to a larger group of people without any possibility to single out a individual is not related to a particular person.[17]
For example: A marketing company's system identifies twenty different groups within the French society. They assign different income levels, spending behaviours, and political views to these groups. This information is not covered by the GDPR. However, once the company assigns Felix's profile to such a group – claiming that he would be conservative, mid-level income, and open to spending his income on travels – this information now relates to Felix and is covered by the GDPR.
Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.[18] However, when information on objects also concerns individuals, it can relate to them indirectly. For example, the objective value of a house allows others to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.[19] Also, Geodata (like GPS data and coordinates) allows others to derive locations and movement patterns of individuals.[20] Equally, information from satellite images could be used to find out if a person can afford a large property or a swimming pool, provided that the image can be linked to an individual.[18] This is particularly relevant in the current technological landscape, considering the wealth of information which can be extracted from a growing number of personal devices, wearables and RFID-Chips, especially as these devices become increasingly associated to their owners or users.[21]
Furthermore, the purpose of the information can determine whether it is 'related to a person', where it is used to change their particular status or behaviour.[22] Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.[23] The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.[24] For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation.[25]
Identified or identifiable
The person to which the information relates must also be identified or identifiable.
A person is "identified" when they can be directly distinguished or "singled out" from a larger group of persons, based on the information.[26] This can be achieved through several 'identifiers' listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the Working Party 29 like telephone number, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.[27] Note that the name of a person is therefore not necessarily required to identify an individual as there are often more unique identifiers.[28]
For example: A controller holds the phone number of data subjects, but not the names. The users are still 'identified' by that number and the GDPR applies.
A person is "'identifiable' when they have not been identified yet but where identification is possible through a combination of available pieces of information.[29] It can be unclear what is still 'identifiable' and what is not anymore. Different people may have different abilities to identify a person, and different contexts or situations may lead to different answers as to the person being identifiable. Recital 26 clarifies that "to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used... either by the controller or by another person to identify the natural person".
Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from any other entities to identify a person. However, the 'reasonable likeliness' of such information being used by the controller or a third party, narrows the approach. In this regard, Recital 26 adds that in order "to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification... the available technology at the time of the processing and technological developments".
In other words, while not all of the information required to identify the person needs to be in the hands of the controller[30] the mere hypothetical possibility to identify the person with the information from other entities is not sufficient.[31] Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual, taking into account the use of state-of-the art tools, available sources, costs, time, and effort requried to identify the individual. The assessment is factual and is not limited to lawful means to identify a person, when it is reasonably likely that an actor could also use unlawful ways to identify a person.
In C-582/14 Breyer the CJEU had to consider if IP addresses enable the identification of a natural person. The IP address is the number under which a computer or smartphone can be reached over the internet. Almost every controller exchanging information with a data subject over the internet will have to use the IP addresses. IP addresses can be dynamic (meaning the number is lost every 24 hours or every time a customer restarts their internet modem) or fixed (which means the number is always associated with the same customer). It may be that such a number is associated with a user account, in which case it becomes personal data. Even if the number itself may not be linkable by a controller, governments but also private entities may have legal powers to access subscriber details in relation to the IP-address. The CJEU found that even in such cases, the IP address can constitute personal data.[32]
"[A] dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data [...] in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person."
CJEU - C-582/14 - Breyer, margin number 49.
This example from case law shows that many data types may constitute personal data in one situation and not in another situation. Usually controllers and processors cannot, for example, determine if an IP address in their log files is dynamic or fixed. In practice this may mean that controllers or processors choose to treat all IP addresses as if they are personal data, to ensure compliance with the GDPR.
Furthermore, taking the increasing accessibility of information through means such as big data technologies and device fingerprinting into consideration, measures to successfully identify individuals are becoming increasingly effective.[33] Additionally, because more information is continuously added to individual data sets and stored over a longer period of time, persons are significantly more likely to be identified.[34]
Natural person
The right to data protection is not restricted to certain nationals or citizens of specific countries[35] but granted to all natural persons according to Article 8 of the EU Charter of Fundamental Rights ("Everyone has the right to the protection of personal data concerning him or her").[36]
For example: third country immigrant entered the EU illegally. Once she arrives she makes a WhatsApp call to inform her family back home that she is safe and is now in the EU. Given that the geographic application of Article 2 GDPR is now triggered, WhatsApp has to grant her all rights under the GDPR - independent of her immigration status or citizenship. This is because the GDPR follows a human rights approach.
Starting from this definition, national legislators usually limit it from to moment of birth to the death of a person.[37] Following up with the GDPR, information relating to deceased persons is then not considered personal data.[38] However, member states may provide alternative rules for the protection of deceased persons[39] which is usually achieved through further data protection, constitutional, or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through their relatives.[40] For more information, see also the commentary on Article 4(13) GDPR.
As the definition is limited to natural persons, information on legal persons is also generally not covered by the definition of personal data.[41] However, related provisions from the ePrivacy-Directive,[42] national data protection laws, or constitutional laws sometimes grant alternative protection.[43] Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. This is particularly relevant where the information on a legal person allows one to derive information on a natural person. For example, a company name or mail address may be related to a natural person and therefore constitute personal data. This is especially common for smaller, family run, or one person businesses/enterprises.[44]
For example: 'Marta O'Connel's Plumbing of Limerick Ltd.' is a limited company and not directly considered a 'natural person' under the GDPR. However, the sole owner and manager is Marta O'Connel and there is also no other female plumber in the whole province of Limerick. Therefore, it is easy to identify the natural person behind the legal entity. Information about 'Marta O'Connel's Plumbing Ltd.' going bankrupt therefore clearly also relates to an identifiable natural person and is, as such, covered by the GDPR.
Anonymous data
Personal data is often contrasted with 'anonymous' data. Anonymous data is data relating to a person that is not identifiable. The GDPR does not protect such data and controllers or processors are free to use such data (unless there are limits under other applicable law).
For example: Employees can participate in an internal vote. The ballots are thrown into a ballot box and mixed. The votes are properly anoymized. In a digital system, data can be stored without any linked personal information (like the user IDs). If the remaining information is anoynmous data and not covered by the GDPR.
In practice, it gets increasingly hard to truly anonymise personal data, especially when data is not very limited and uniform, or can be connected with other available information. New methods and technologies, such as big data analytics and artificial intelligence, are able to match and connect information that humans may not identify as being related.
For example: In 2006 the internet company AOL released 20 million searches that were entered into its search engine over three months. The searches of users could be connected via an anonymous ID. As many users entered personal information in the search box, the New York Times was able to quickly find the relevant users. AOL deleted the file later, but it was already widely copied.
Some technical solutions that may be useful or even required under the GDPR (e.g. from a security perspective under Article 32 GDPR or as a means of data minimisation under Article 5(1)(c) GDPR) can get confused with techniques to truly anonymise data.
For example: A payment provider and an airline strike a cooperation deal. When customers enter an email address during the airline booking process and the payment provider has the same email address in its files, only the payment provider will be shown as a payment option. The airline pays a lower transaction fee in return. To limit the exchange of customer data, they agree to only share 'hashes' of the email, which is a cryptographic fingerprint of the email address. While you cannot regenerate the email address from the hash value, everyone in possession of the email address can calculate the same hash value and see that the hash matches the email address. The technicians tell their Data Protection Officer that they only exchange anonymous data and there are no privacy issues involved. The Data Protection Officer, however, realises that the airline can single out the relevant customers. The data is therefore personal data and the system falls under the GDPR.
Examples of personal data in the CJEU's case law
There are a number of data types that were already the subject of CJEU case law:
- Name, date of birth, nationality, gender, ethnicity, religion and language;[45]
- Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities;[46]
- Municipality, information concerning the earned and unearned income and assets of a person;[47]
- Salaries of employees of a public body;[48]
- Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies;[49]
- Working hours and times, as well as the corresponding breaks and intervals;[50]
- Telephone numbers, employment and hobbies;[51]
As always, whether or not data is actually personal data is a matter of context and case-by-case analysis.
(2) Processing
Processing is another central requirement for the application of the GDPR. It is defined as "any operation or set of operations which is performed on personal data".
Any operation or set of operations
The notion of processing is formulated broadly by the GDPR as 'any operation or set of operations'. The inclusion of 'a set of operations' means that, within the GDPR, the word 'processing' may refer to a single processing operation or a set of any number of operations.
The term processing is further explained by a list of non-exhaustive examples:
- Collection (targeted procurement of single pieces of data), such as offering online registrations or contact forms;[56]
- Recording (continuous procurement of data flows), such as operating surveillance cameras or similar sensors;
- Organisation (systematic ordering to enhance access and evaluation of information), such as the allocation of information within databases;
- Structuring (ordering data according to certain criteria), e.g. in numeric or alphabetical order;[57]
- Storage (saving information to a physical and readable format), such as information on paper, files, disks, drives or cloud servers;[58]
- Adaptation (adjustments to the content of information according to specific criteria), e.g. updating information on age, address or income;[59]
- Alteration (changes to the form or content of data), such as corrections, pseudonymisation or anonymisation;[60]
- Retrieval (accessing stored information), for example loading information to be displayed on a device;[61]
- Consultation (accessing stored information through targeted searches), such as using search routines to find and display data;[62]
- Use (catch-all term for all active operations conducted on personal data), e.g. using addresses to deliver orders or mails;[63]
- Disclosure by transmission ('pushing' information to recipients or other third parties), such as sharing customer information with another company;
- Disclosure by dissemination (untargeted distribution of information to unlimited recipients), e.g. in newspapers, radio or tv broadcasting;[64]
- Disclosure by otherwise making available (generally any other form of disclosure), such as providing information on websites or search engines;[65]
- Alignment (comparison of information with other, specific requirements), such as grid investigations or ‘dragnet’ actions;
- Combination (merging information), such as profiling (see also Article 4(4) GDPR);[66]
- Restriction (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation of information on a website;[67]
- Erasure (irreversible rendering of information impossible to access), such as overwriting data multiple times;[68]
- Destruction (physically destroying the data carrier), such as shredding of files.[69]
The only major exception to the above is where the controller remains completely passive without taking any active action towards information that is imposed by the data subject.[70]
Performed on personal data
To be considered as 'processing' the operation in question has to be performed on personal data. Processing of other data does not fall under the definition.
Whether or not by automated means
Processing can be carried out by fully automated, semi-automated, or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.[71]
For example: A person manually enters names into a system. The names are processed. The data is then stored and never looked at again. Storage is also processing and needs to comply with the GDPR. After years the hard drive that the data was stored on gets shredded. The destruction equally constitutes processing.
(3) Restriction of processing
Restriction is a specific form of processing. The restriction of processing means neither a complete prohibition to process nor an erasure of personal data, it is best described as a freezing of personal data for a certain period of time.
Usually, restrictions to the processing of personal data occur when the data is not required for the purpose for which it was originally collected, but cannot be deleted due to legal obligations.[72] The restriction of processing can also be initiated by request of a data subject under the requirements of Article 18(1) GDPR or a data protection authority according to Article 58(2)(g) GDPR. For more information see the commentary on these provisions.
For example: Greta finds out that a credit ranking agency holds wrong information about her. As a consequence she cannot get a cell phone contract. The credit ranking agency has a huge backlog when correcting data. In the meantime the wrong information can be marked as contested and not used in the system.
Marking of stored personal data
The provision only applies to stored personal data. Personal data that is not at rest do not seem to be subject to a restriction of processing.
Marking the data is usually done by labels in systems or any other similar approach.
Aim of limiting their processing in the future
The restriction is not just limited to the marking of data, but must have the aim of limiting certain personal data only for very limited purposes.[73] In practice this means that systems also have to react to the marking and, for example, not include the data in other processing operations anymore.
Obviously the limitation can only have an effect in the future. The fact that the law only requires one to 'aim' for the limitation should not be understood that the limitation must not be fully implemented.
Implementation
Technically, the restriction is realized through markers on the data in question which block it from further processing in the future.[74] In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.[75] In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage system with access restrictions.[76]
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.[77] In case, the data subject needs to be informed about the restriction of processing of their personal data according to Article 18(3) GDPR.
(4) Profiling
Profiling is a specific form of processing. The concept is used in various provisions of the GDPR such as its territorial application, see Article 3(2)(b) GDPR, or automated decision making, see Article 22 GDPR. Profiling also triggers information duties under Articles 13(2)(f) and 14(2)(g) GDPR; access rights under Article 15(1)(h) GDPR; or the the need to perform data protection impact assessments under Article 35(3)(a) GDPR.
Evaluation of personal aspects
Profiling is defined as a processing operation with the purpose of evaluating personal aspects of a natural person.
Despite the rather specific general meaning of 'profiling', there is no minimal threshold of how much data must be used to constitute profiling or how personal or sensitive the personal aspects should be. The definition is therefore very broad and includes any way of calculating personal aspects of individuals.
Profiling is typically done by the application of statistical-mathematical measures to personal data that produce analysis of predictions of personal aspects.[78]
Automatic processing
Manual review of personal data to evaluate personal aspects does not constitute profiling, as the definition requires 'automated processing'.
Exemplary list
The definition provides a non-exhaustive list over common types of profiling, such as:
- performance at work;
- economic situation;
- health;
- personal preferences;
- interests;
- reliability;
- behaviour;
- location; or
- movements.
Practical examples of 'profiling' are therefore:
- Creating customer preferences based on previous purchases or clicks;
- Maintaining customer profiles for more efficient marketing;[79]
- Operating systems for credit rating/scoring;[80]
- Operating e-Recruitment Systems.[81]
(5) Pseudonymisation
Pseudonymisation is a form of processing that alters personal data so that identifying information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. The aim is to reduce risks for the data subjects and help controllers and processors to meet their obligations under the GDPR,[82] such as data minimisation or as part of a data security concept.
Pseudonymised data is a specific type of personal data and still falls under all relevant provisions of the GDPR. There are however some provisions that refer to pseudoymized personal data and treat it (slightly) different than personal data:
- Implementing security safeguards (see Article 32(1)(a) GDPR);
- Handling of personal data breaches (see Article 34(3)(a) GDPR);
- Changing purposes of data processing (Article 6(4)(e) GDPR);
- Serving principles of data minimization and security (Article 5(1)(c)(f) GDPR);
- Implementing Data Protection by Design and Default (Article 25 GDPR).
No longer attributed to a specific data subject
In order to count as pseudonymised data, the personal data must be processed in a way that cannot be attributed to specific data subject without the use of additional information. The pseudonymised data set itself, therefore. does not relate to an identified or identifiable person.
Additional information permitting attribution
Information allowing attribution of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.[83]
Implementation
Examples for the pseudonymisation of personal data include:
- Replacement of names through ID’s, codes or aliases;[84]
- Encryption of personal data;[85]
- Hashing of personal data.[86]
Difference to anonymization
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from sentences 3 and 4 of Recital 26 GDPR, considering the cost, time, and available technology required to identify the data subject. However, considering the recent emergence of big data analytics and advanced data processing capabilities, the process of anonymisation is becoming increasingly difficult.[87]
Common mistake: Pseudonymisation has to be distinguished from anonymisation. Anonymisation is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymised data.[88] Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore reversible.[89]
(6) Filing system
The definition of a 'filing system' is relevant for the application of the GDPR in cases of non-automated data processing (see Article 2(1) GDPR).
Set of personal data
A filing system is characterized through a structured set of personal data. The data can be stored within either single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require the storage of information on multiple persons. Storing structured information on a single person may qualify as filing system.[90]
Structured by specific criteria
A set of data is only a structured filing system if it is accessible according to specific criteria. The structure of the information must allow a targeted search of personal data.[91] For example, when personal data on a particular person is 'retrievable' it already satisfies this requirement.[92]
Typical examples
Examples are:
- Paper archives, sorted by name, date or any other system;
- Salary lists on employees;[93]
- Saved letter-correspondence with customers;[94]
- Covid-19-Guest-Lists sorted by date.[95]
(7) Controller
The controller is the main addressee of obligations under the GDPR. The controller is defined as the body that determines the purposes and means of the processing. This broad definition of the concept of controller is intended to ensure the effective and complete protection of data subjects.[96]
Objective approach
The GDPR foresees that the controller must be determined based on the objective facts of the case. This means that mere declarations in contracts, privacy notices and alike do not constitute a binding determination of controllership. The objective approach requires a detailed assessment, but also prevents so-called 'forum shopping' and responsibility shifting.
Any natural or legal person
A controller can be any natural or legal person, public authority, agency or other body. Everyone with legal capacity can be a controller when processing personal data, including individuals, private legal entities, or government entities. It is necessary to assign the determination of purpose and means (see below) to a responsible entity. Departments, individual establishments, or other elements that are not legally independent form one controller together with the legal entity that they belong to.[97]
It is after all a matter of national law if, for example, workers councils within a company or individual government entities form a legally separate body or not. If they are legally separate holders of rights and duties, they can form a separate controller.
If a person within the controller acts outside of their assigned capacity and processes personal data for their own purpose, their acts cannot be attributed to the controller and they become their own controller, with their own responsibilities of any processing operation they may undertake.[98]
For example: In Member State 'A' schools are their own legal entity. In Member State 'B' schools are part of the Ministry of Education and are not separate holders of rights. In Member State 'A' the school is typically the controller for processing operations within it, while in Member State 'B' the Ministry is typically the controller. If the computer science teacher in either school decides to use a school server to host his own private software project, the teacher is typically considered a separate controller.
Determination
The key element of the controller definition is the focus on the entity making the relevant determinations for any processing activity. The determinations of persons acting on behalf of an entity are attributed to that entity. It is necessary to review which entity, or element within an entity, objectively made determinations about the purpose and means. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.[99]
Merely formal declarations are not relevant. Especially in complex situations where many players are involved in the processing operation, the proper identification of the controller may prove to be complex.
For example: Company 'A' offers an app to users. The head of the IT department suddenly decides that personal data of users will be processed for the purpose of product improvement and advertisement of the app itself. The CEO of the company does not raise any objections. Company 'A' is the controller for the processing operations and ultimately responsible for complying with the GDPR.
Purposes
Personal data may only be processed for a specified, explicit and legitimate purpose (see Article 5(1)(b) GDPR). The body that decides over the purpose is typically the controller. The determination of the purpose it the primary element to review when determining controllership.[100]
Means
The means include the personal data that is processed to achieve the purpose; the duration of the processing; the recipients of personal data; as well as the technical means to process personal data, such as hardware or software.[101] The controller must only determine the means, but must not control them physically.
For example: A company uses an external service for statistical analysis. The systems of the external service collect personal data and calculate the results. The company does not even have access to the raw information. Nevertheless, the company has determined the purposes and means of the processing (including the described system) and is hence the controller.
Opening clause for a determination by EU or Member State law
Article 4(7) GDPR allows that specific EU or national law (lex specialis) may assign the controllership to a certain entity for specific processing operations. Such provisions typically define controllership when private entities act in the public interest or are fulfilling public tasks. The clause also allows Member States to clarify controllership among different public bodies or elements. Such explicit determinations in EU or national law should not be confused with generic national laws that assign certain duties to an entity without determining controllership itself.
In case national law makes such a determination, it should be ascertained whether that law specifies the controller or lays down the criteria applicable to its nomination.[102]
"It must also be stated that, having regard to the broad definition of the concept of ‘controller’ within the meaning of Article 4(7) of the GDPR, the determination of the purposes and means of the processing and, where appropriate, the nomination of that controller by national law may not only be explicit but also implicit. In the latter case, that determination must nevertheless be derived with sufficient certainty from the role, task and powers conferred on the person or entity concerned [...]"
CJEU - C-200/23 - Agentsia po vpisvaniyata, margin number 74..
Joint controllership
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co-controllership’ the entities have to determine their respective responsibilities for the processing within an agreement according to Article 26 GDPR. Important, however, is utlimately the factual influence on the processing of the personal data[103] (see Recital 79 GDPR). In this regard, the participation and influence on the purpose and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.[104]
For example, a joint controllership is assumed between:
- Search-Engine-Operators and the websites on which information is structured, presented and complemented with advertisements within search results;[105]
- Facebook and the entity administering pages on the social network;[106]
- Websites that integrated elements of a third-party controller, such as a ‘Like Button’.[107]
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller, as required by Article 26 GDPR.
EDPB Guidelines: On this provision there are the Guidelines 07/2020 on the concepts of controller and processor in the GDPR
(8) Processor
In practice most controllers do not process all their personal data themselves, but use various external providers, such as hosting providers, SaaS providers or so-called 'Cloud' providers, that process data on their behalf. The GDPR regulates these 'processors', as well as the interplay between the controller and the processor.
Once an entity qualifies as a 'processor', many provisions of the GDPR apply, such as the required implementation of technical organizational measures (see Article 32 GDPR) as well as the possibility of being fined (see Article 82 GDPR). Of additional relevance is Article 28 GDPR, that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on Article 28(3) GDPR.
It should be noted that this definition includes the initial processor engaged directly by a controller as well as sub-processors along the processing chain (processors engaged by another processor).[108]
Any natural or legal person
Just like a controller, a processor can be any natural person, legal person, public authority, agency, or body. Internal units that process personal data on behalf of another department within the same legal entity (e.g. an IT department) are not processors, but are part of the controller.
Processing on behalf of the controller
The most important distinction is that, unlike the controller, the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.[109]
Sub-Processors
A special form of the processor is the 'sub-processor'. This is another processor, that is engaged by the processor. In theory there can be any number of sub-sub-processors. In practice such setups are very hard to manage for a controller. For further information see the commentary on Article 28(2) and (4) GDPR.
Distinction to a (joint) controller
In practice major IT companies (usually 'processors') are often more in control of processing operations than their commercial customers (usually 'controllers'). They usually offer a standard product with very specific terms and conditions, while many controllers may not. Therefore, it can be difficult to distinguish a 'joint controller' or 'co-controller' from a processor.
Roles are specific for each processing operation
Usually each processor also conducts processing operations where it is itself the controller. This is also the case whenever the processor acts against the orders of the controller and processes personal data for further purposes. In all these situations, it qualifies as a controller.[110]
Exemplary list
In this regard, the Working Party 29[111] provides some references as examples of controller-processor relationships:
- Outsourcing of call centers for customer communications;[112]
- Outsourcing of mail services;[113]
- Cloud Hosting and grid computing;[114]
- A separate entity specialized in data processing within a group of companies.[115]
EDPB Guidelines: On this provision there are the Guidelines 07/2020 on the concepts of controller and processor in the GDPR
(9) Recipient
The 'recipient' is an umbrella term and defined as anybody (like controllers, processors, third parties) to whom personal data is disclosed to. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.[116] The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,[117] the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind this is that the controller, whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.[118] Listing the recipients ensures that the data subject is fully informed as to the whereabouts of their personal data.
Any natural or legal person
Just like a controller or processor, a recipient can be any natural person, legal person, public authority, agency, or body. On the other hand, particular units within a company, such as the staff council or dependent establishments of the controller, are not considered recipients.[119]
Disclosure
The core element of the definition is the 'disclosure' of personal data. This includes any voluntary act of data sharing, including transmission, dissemination or otherwise making available (see Article 4(2) GDPR).[120]
Processors
There is an ongoing discussion as to whether a 'processor' can also be considered a 'recipient'. On the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.[121] However, the concept of the recipient is completely independent of the third-party.[122] With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, Article 28 GDPR does not relieve the controller to inform the data subjects about its processors as recipients according to Article 13 to 15 GDPR.[123]
Exception for public authorities
Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.[124] These inquiries, however, must be in the general interest and in accordance with Union or Member State law.[125]
(10) Third Party
The term 'third party' is used to describe anyone other than the data subject. This notion becomes relevant mostly in terms of evaluating interests, such as in Article 6 (1)(f) GDPR.[126]
Negative definition
'Third party' constitutes a negative definition, as any natural or legal person, public authority, agency, or body different from:
- the data subject;
- controller;
- processors; or
- any other person authorized to process personal data by the controller.
Dynamic classification of third parties
While an entity may be a third party may from the perspective a given controller, it may itself be a controller or processor for any processing operation it conducts itself. The notion of a 'third party' is therefore not absolute, but based on the circumstances of a certain processing operation.
Typical cases
Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.[127] Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.[128] Similarly, internal staff of the controller are not a third parties, unless the employee uses personal data for their own purposes outside of the employment context.[129] In this case, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.[130]
EDPB Guidelines: On this provision there are the Guidelines 07/2020 on the concepts of controller and processor in the GDPR
(11) Consent
Consent is one of the legal basis mentioned under Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data.
The requirements for consent require a joint reading of Articles 4(11), 6(1)(a), 7 and 8 GDPR.
- For the definition of 'consent', see the more commentary under Article 6(1)(a) GDPR and Article 7 GDPR.
- For the definition of 'explicit consent', see the commentary under Article 9(2)(a) GDPR.
EDPB Guidelines: on this provision there are EDPB Guidelines 05/2020 on consent under Regulation 2016/679
(12) Personal data breach
The definition of 'personal data breach' is relevant for the notification duties under Articles 33 and 34 GDPR.
Breach of security
The definition of a data breach requires a security breach, such as a failure of technical or organisational safeguards implemented by the controller according to Article 32 GDPR.
Accidental or unlawful
These failures can either be caused by accident (e.g. through mishandling of personal data by the controller, employees and alike) or by unlawful acts (e.g. targeted attacks, hacking or a physical break in).[131]
Destruction, loss, alteration, unauthorised disclosure, or access
As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.[132]
Although the transmission and storage of data are explicitly highlighted, any type of processing the concerned data is sufficient.[133]
Typical cases
Some examples for personal data breaches are:
- Hacking-attacks on systems involving personal data;[134]
- Missing access protection to data storages or buildings;[135]
- Sending data to unintended recipients;[136]
- Employees unlawfully distributing data to third parties;[137]
- Accidentally publishing or leaking data on website;[138]
- Loss of physical data carriers;[139]
- Destruction of data storing infrastructure;[140]
- Unrestorable encryption through Ransomware;[141]
- Unlocked storage of employee files,[142]accidental or unlawful.
(13) Genetic data
‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions on growth, metabolism, appearance, disease or alike, both already existent or emerging in the future.[143] Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA), or ribonucleic acid (RNA) analyses.
The classification of genetic data is becoming relevant in terms of Article 9(1) GDPR, which only allows its processing under strict requirements.[144] This is due to the sensitive character of such data, allowing a unique identification of the data subject and, at the same time, revealing personal health data[145] on them and biological relatives.[146] Especially in terms of heritage diseases, genetic data carries a high risk of abuse in terms of employment and insurance.[147]
(14) Biometric data
‘Biometric data’ means data referring to the physical, physiological and behavioural characteristics of a natural person obtained from specific technical processing allowing for a unique identification. While this generally includes any means to analyse and measure the characteristics of humans,[148] the technical processing and unique identification requirements place higher burdens.
The definition itself uses facial images and fingerprints[149] as examples for biometric data. However, the requirement for specific technical processing ensures that simple pictures or even passport photographs shall not be considered as such.[150] Although, further processing through the application of facial recognition software would qualify the extracted information as biometric data. In this regard: IRIS Scanners; DNS-Comparisons; voice or gait pattern analyses;[151] as well as typing patterns or even handwritten signatures,[152] may be considered as biometric data.
Other data that does not allow an unique identification, such as body size or blood type, may not be considered biometric data.[153] However, these could then fall under the definition of ‘health data’ that offers similar protection to that afforded to biometric data, according to Article 9(1) GDPR.
(15) Data concerning health
‘Data concerning health’, or simply ‘health data’, means any data related to the physical or mental health of a natural person, especially the procurement of health care services revealing such information. According to Recital 35 GDPR, these include all data referring to the health status of the data subject from the past, present or future. In this regard, any information on diseases, risks and disabilities - in addition to medical treatment and history - of a particular natural person explicitly qualifies as health data.[154]
Examples for health data includes information about:
- Addictions to alcohol, drugs or medications as well as the participation in self-help groups;[155]
- Hospitalizations, sick notes and sick payments;[156]
- Information the physical or mental invalidity to work;[157]
- Data from health or fitness apps on eating or movement patterns, for example from wearables and smartphones.[158]
The notion of health data is therefore broader than ‘medicinal data’.[159] Furthermore, it strongly overlaps with the notions of genetic and biometric data,[160] in order to allow a seamless and high level of protection within the scope of Article 9 GDPR.[161] For further information, please check the commentary on Article 9 GDPR.
EDPB Guidelines: on this provision there are EDPB Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak
(16) Main establishment
If a controller or a processor have establishments in more than one member state, identifying its 'main establishment' is the first step to recognising the lead supervisory authority in a cross-border procedure under Article 56 GDPR.
Objective criteria
The main establishment of an entity must be determined according to objective criteria.[162] As the main establishment determines the relevant supervisory authority, the Working Party 29 stressed that the GDPR does not permit 'forum shopping' and conclusions cannot be based solely on statements by the controller or processor. The controller or processor’s analysis can be overturned based on an objective examination of the relevant facts.[163]
(a) Main establishment of a controller
General rule: central administration
As a general rule, the main establishment of a controller should be the place of its central administration in the Union, or in other words, "the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented".[164]
Recital 22 GDPR defines an establishment as "the effective and real exercise of activity through stable arrangements". The legal form of such arrangements is irrelevant. According to C-230/14 - Weltimmo, an establishment depends on "both the degree of stability of the arrangements and the effective exercise of activities in that other Member State [which] must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned".[165] In this regard, merely the presence of a single representative can constitute a stable arrangement, when they are acting with a sufficient degree of stability and have the necessary equipment to provide the specific services in the member states concerned.[166]
Exception: processing decisions in another establishment
If a controller’s main establishment is not the place of its central administration in the EU, the exception to the general rules kicks in. In this case it is necessary to determine the establishment based on where the effective and real exercise of main decisions on the purposes and means of processing take place.[167] It should depend neither on the place of the processing nor the use of technical means and technologies for processing personal data or processing activities. Instead, to determine the controller’s main establishment the Working Party 29 developed several guiding questions:[168]
- Where are decisions about the purposes and means of the finally signed off’?
- Where are decisions about business activities that involve data processing made?
- Where does the power to have decisions implemented effectively lie?
- Where is the Director with responsibility for cross border processing located?
- Where is the controller or processor registered as a company?
(b) Main establishment of a processor
Central administration
Similarly to the rules for controllers, the main establishment of a processor located in multiple member states shall also be the place of its central administration.
See above for details on determining the central administration.
No central administration
However, when there is no central administration in the Union, the rules applying to processors are formulated differently. In such cases, the main establishment of a processor is where the main processing activities take place in a Union’s establishment subject to the obligations under GDPR. This implies that the processing of personal data does not need to be carried out by the relevant establishment itself, but only in in the context of its activities within the scope of the GDPR.[169]
The meaning of 'the context of activities' has already been specified in C-131/12 - Google Spain. The CJEU build on a broad definition of 'establishment' and clarified that merely the intention of a member state’s establishment to provide advertisement space for a third country undertaking constitutes processing of personal data in the context of the Union’s establishment.[170]
Following up on the CJEU judgement, the Working Party 29 specified that EU law may apply to data processing activities of controllers or processors established outside the EU "even if the local establishment is not actually taking any role in the data processing itself".[171] This reasoning can be based on an "inextricable link" between activities of an establishment in the EU and data processing by a non-EU controller or processor.[172]
Cases involving both the controller and the processor
Recital 36 GDPR explains that "in cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment". This is not reflected in the text of the relevant Articles.
For details see the commentary on Article 56 GDPR.
(17) Representative
Where a controller or a processor not established in the Union falls under the territorial scope of Article 3(2) GDPR due to processing activities related to data subjects in the Union, it must, in accordance with Article 27 GDPR, appoint a representative in the EU. Representatives are any legal or natural persons established in the union, designated by a controller or processor.
For more details and exceptions to the obligation to designate a representative see the commentary on Article 27 GDPR.
(18) Enterprise
An 'enterprise’ means any natural or legal person, partnerships or associations regularly engaged in economic activities. With this definition, the GDPR introduced a broad concept of an enterprise, irrespective of their size, legal form or interests pursued.[173] An enterprise requires a regular engagement in economic activities, which means activities intended to be carried out over a a long-term and not only in an occasional manner.[174] Being a 'small [or] medium enterprise' is a precondition for the waiver of the duties under of Articles 30(5) GDPR.
While the English version of the GDPR distinguishes between the ‘enterprise’ and ‘undertaking’ other language versions merged both into a single notion (like 'Unternehmen' in German or 'entreprise' in French).[175] This caused confusion around the assessment of fines according to Article 83 GDPR, which by English language refers to the term of undertaking in accordance with Articles 101, 102 TFEU and thereby not to the definition of Article 4(18) GDPR.[176] The broader definition of an 'undertaking', which includes parent companies and all subsidiaries, leads to higher fines for such structures, when the fine is calculated based on the global turnover.
(19) Group of undertakings
A group of undertakings consists of a leading ('controlling') entity and one or more thereof dependent ('controlled') entities.[177] The central characteristic for a group of undertakings is therefore, that one entity exerts a dominant influence over the others, for example through ownership or financial participation.[178] This is usually the case between a holding company and their subsidiaries.[179] In this regard, the mere possibility of exercising control over the the other entity is sufficient, a real exercise of such control is not necessary.[180] As long as one entity has the factual power to assert its will over the other entities,[181] they qualify as group of undertakings.[182]
Two undertakings are sufficient to form a group.[183] However, a controller giving mere instructions to a processor regarding the processing of personal data does not qualify as a group of undertakings.[184]
The classification as a group of undertakings becomes relevant for several provision across the GDPR, such as
- The joint designation of a Data Protection Officer (Article 37(2) GDPR);
- The formulation of binding corporate rules (Article 4(20) GDPR, Article 47 GDPR);
- The data transfer for internal administrative purposes (Article 6(1)(f) GDPR) with Recital 48 GDPR);[185]
- The determination of the main establishment (Article 4(16) GDPR, Recital 22 GDPR).
However, the notion is to be distinguished from a "group of enterprises engaged in a joint economic activity" who can jointly use binding corporate rules under Article 47 GDPR. These consist of separate and independent entities, which do not exercise control over each other,[186] and therefore cannot designate a single Data Protection Officer or rely on internal administrative data transfers.
(20) Binding corporate rules
Binding corporate rules (short ‘BCR’) are data protection policies formulated by controllers or processors established in the Union for transfers of personal data to entities within their group that are established outside the Union. In this regard, binding corporate rules constitute a legal basis to transfer personal data to third countries without an adequacy decision.[187] However, they only apply to intra-corporate transfers, i.e. between entities of the concerned group of undertakings or enterprises. Transfers to entities outside of these groups are not covered by binding corporate rules.
For more information on the requirements and the approval procedure of binding corporate rules, see the commentary on Article 47 GDPR.
(21) Supervisory authority
Supervisory Authorities ('SAs') or, colloquially, 'Data Protection Authorities' ('DPAs') are the independent public authorities responsible for monitoring the application of the GDPR under Article 51 GDPR. Member States can decide to provide only one or multiple supervisory authorities, to reflect their constitutional, organisational and administrative structure.[188]
For example: Austria, France and Ireland have a single supervisory authority for enforcing the GDPR. While the Irish and French supervisory authorities are also in charge of enforcing the ePrivacy Directive 2002/58/EC (Austria gave this power to the Telecoms Regulator). Germany has a federal supervisory authority and at least one authority for each of the sixteen German states. Some states have more than one authority, for different types of controllers.
Supervisory authorities act independently (see Article 52 GDPR) and shall be provided with various competencies (Articles 55, 56 GDPR), tasks (Article 57 GDPR) and powers (Article 58 GDPR). For further information, see the particular commentary on the named articles.
(22) Supervisory authority concerned
Only 'supervisory authorities concerned' have certain roles in the cooperation procedure under Articles 60 to 66 GDPR. Other supervisory authorities may not participate in the relevant procedures. Qualifying a supervisory authority as ‘concerned’ can result out of three situations as laid out by Article 4(22) GDPR:
- For a controller or processor, when it is established in a member state of a supervisory authority,
- for a data subject, when it is residing in the member state of a supervisory authority (likely) substantially affected by the processing of personal data, or
- where a complaint has been lodged with that supervisory authority.
Controller or processor establishment
The DPA is concerned when a controller or processor is established in its jurisdiction. This implies any effective and real exercise of activity through stable arrangements,[189] independent of the form of such arrangements of an actual branch or subsidiary within the union.[190] This broad understanding is fostered by the EUCJ, including any real and effective activity exercised through stable agreements independently of their formalistic approach as an establishment.[191]
(Likely) Substantial affection of the data subject
A substantial affection, although not being further specified from the GDPR, indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.[192] On the contrary, merely the likelihood of such an impact is sufficient, and an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.[193] In any case, this requires the data subject to reside in the member state of the DPA and therefore to have at least stable links to the state as its permanent habitual centre.[194]
Filing a complaint with the supervisory authority
Filing a complaint with a particular supervisory authority makes them a ‘concerned’ authority. Since complaints can also be filed with DPAs different from where the data subject resides,[195] the supervisory authority can possibly be 'concerned' without the data subject having a residence within the EU or any (likely) substantial affection. For further information on filing a complaint with a supervisory authority, see the commentary on Article 77 GDPR.
(23) Cross-border processing
The definition of 'cross-border processing' is not intuitive, as not every form of cross-border processing is 'cross-border' under the GDPR. The limited definition in turn limits the application of the ‘one-stop-shop’ system, which is further described within the commentary of Article 56 GDPR.
(a) Processing in the context of establishments within multiple Member States
The notion of establishment is again to be interpreted broadly. It is any effective and real exercise of activities through stable arrangements,[196] independent of the formal declarations as a branch or subsidiary within the Union.[197] Furthermore, the processing is not required to be carried out within the establishment itself, but can also happen in the context of its activities. If the establishment in the EU is not directly processing the personal data, an extricable link between the activities of the establishment and the processing is already sufficient.[198] Only remote links to the processing in question may not involve another entity and therefore not form a ‘cross border processing’.[199]
(b) Processing (likely) to substantially affect data subject in multiple Member States
A substantial affection, again indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.[200] In this regard, the mere likelihood of such an impact is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case by case basis.[201]
(24) Relevant and reasoned objection
A ‘relevant and reasoned objection’ is an objection by a supervisory authority concerned[202] to a draft decision provided by a lead supervisory authority.[203] When such an objection is submitted by the supervisory authorities concerned, the lead supervisory authority can either follow the objection (see Article 60(4) GDPR) or submit the matter to the EDPB (see Article 65(4) GDPR).
In order to limit objections by other supervisory authorities,[204] Article 4(24) GDPR introduces a threshold to such objections being ‘relevant’ and ‘reasoned’. They must also 'clearly demonstrate' the 'significant risks' posed by the draft decision,[205] either for the fundamental rights and freedoms of data subjects or the free flow of personal data within the Union. As a consequence, it is not enough for a concerned supervisory authority to just raise a concern that a draft decision by the lead supervisory authority is unlawful.
For details see the commentary on Articles 60 and 65 GDPR.
(25) Information society service
For the definition on ‘information society service’ the GDPR refers to Article 1(1)(b) of Directive (EU) 2015/1535. The classification as information society service becomes relevant in several contexts of the GDPR, such as children’s consent (see Article 8(1) GDPR) or the right to object (see Article 21(5) GDPR).
At a distance
‘At a distance’ means that the service is provided without the parties being simultaneously present.[206] Thus, even when using electronic means, services provided within the physical presence of the recipient to the provider do not fall within this definition.[207]
Electronic means
‘By electronic means’ requires that the service is entirely sent and received via electronic equipment for the processing and storage of data, for example, through being transmitted by wire, radio, optical or other electromagnetic means.[208] While offline services are excluded from this definition,[209] composite services such as the selling of goods, advertising and gaming do qualify as such.[210]
Individual request
An ‘individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.[211] Services transmitting data to an unlimited number of individuals without their individual demand, such as radio broadcasting, television, and teletext are therefore not covered.[212] On the contrary, video-on-demand or pay-per-view services do qualify as information society services.[213]
Typical cases
Accordingly, most online services encountered nowadays fulfill the criteria of an information society service. Typical example are:[214]
- Online legal or health services;
- Online libraries or newspapers;
- Online shopping and booking services;
- Online media-platforms or video games;
- Online search engines and web browsers.
(26) International organisation
An ‘international organisation’ means any organisation or subordinate bodies of such, which are governed either by public international law or set up by an agreement between two or more countries. The classification as international organisation is relevant in terms of the additional rules placed on data transfers, according to Articles 44-50 GDPR. While the Data Protection Directive only regulated data flows to third party countries, the GDPR now extends the applicability of these rules to international organisations as as well.[215] For more information on the principles and additional safeguards placed on such transfers, please see the commentary on Articles 45-49 GDPR.
While there is no universally accepted or further specified definition of the term coming from the GDPR, the overall definition from the Vienna Convention on the Law of Treaties from 1969,[216] serves as a source of inspiration for interpreting EU law according to the CJEU.[217] However, Article 2(1)(i) of the Convention defines international organisation as ‘intergovernmental organisation’, thereby failing to deliver a more specific definition. Moreover, since both options to reach an international organization, either through public international law or multilateral agreements, are not further delineated by the GDPR, a broad and flexible approach to the term is suggested.[218]
In this regard, most organizations, such as the United Nations (UN), the International Telecommunications Union (ITU), the World Trade Organization (WTO) as well as Interpol and Europol shall fall under the term.[219] However, these examples are not exhaustive and can be infinitely extended to other Internationals Organizations. Only NGOs, which are usually non-governmental organisations established as private initiatives and governed by domestic member state law, may not qualify as such.[220]
Decisions
→ You can find all related decisions in Category:Article 4 GDPR
References
- ↑ Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available here).
- ↑ Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, p. 19.
- ↑ German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available here).
- ↑ Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available here).
- ↑ Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available here); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available here).
- ↑ European Court of Human Rights. Amann v. Switzerland [GC], no. 27798/95.
- ↑ For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available here).
- ↑ WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.
- ↑ WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6; in fact, the GDPR provides tools to rectify incorrect information, see Article 16 GDPR.
- ↑ Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available here).
- ↑ In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available here).
- ↑ Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available here).
- ↑ A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available here).
- ↑ WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available here).
- ↑ CJEU, Nowak, 20 December 2017, margin number 35 (available here).
- ↑ WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available here), for example medical records on a patient, or the file of an employee.
- ↑ Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).
- ↑ 18.0 18.1 Klar/Kühling/Herbst, in Kühling/Buchner, DS-GVO BDSG, Article 4(2) GDPR, margin number 38 (C.H. Beck 2020)
- ↑ See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available here).
- ↑ Ziebarth, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).
- ↑ Klar/Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).
- ↑ WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available here).
- ↑ WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available here).
- ↑ WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available here).
- ↑ WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available here).
- ↑ WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available here); Klar/Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available here).
- ↑ WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available here) with reference to the Commission.
- ↑ For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available here).
- ↑ WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available here).
- ↑ EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available here).
- ↑ WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available here).
- ↑ CJEU Case C‑582/14, Breyer, 19.10.2016, margin number 49 (available here).
- ↑ Klar/Bühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).
- ↑ Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available here).
- ↑ Recital 14 sentence 1 GDPR.
- ↑ Universal Declaration of Human Rights, 10 December 1948 (available here).
- ↑ However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available here).
- ↑ See Recital 27 sentence 1 GDPR.
- ↑ See Recital 27 sentence 2 GDPR.
- ↑ Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available here).
- ↑ Recital 14 sentence 2 GDPR.
- ↑ See Article 1 Directive 2002/58/EC.
- ↑ See Karg, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).
- ↑ Bygrave/Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).
- ↑ CJEU, C-141/12, YS and Others, 17 July 2014 (available here).
- ↑ CJEU, C-524/06, Huber, 16 December 2008 (available here).
- ↑ CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available here).
- ↑ CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available here).
- ↑ CJEU, C-101/01, Lindqvist, 6 November 2003 (available here).
- ↑ CJEU, C-342/12, Worten, 30 May 2013 (available here).
- ↑ CJEU, C-101/01, Lindqvist, 6 November 2003 (available here).
- ↑ CJEU, C-582/14, Breyer, 19 October 2016 (available here).
- ↑ CJEU, C-212/13, Ryneš, 11 December 2014 (available here).
- ↑ CJEU, C‑434/16, Nowak, 20 December 2017 (available here).
- ↑ CJEU, C‑291/12, Schwarz, 17 October 2013 (available here).
- ↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).
- ↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).
- ↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).
- ↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).
- ↑ Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).
- ↑ Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).
- ↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).
- ↑ Reimer, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).
- ↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).
- ↑ Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).
- ↑ Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).
- ↑ Recital 67 GDPR.
- ↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).
- ↑ Reimer, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).
- ↑ Pötters, Böhm, in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).
- ↑ Herbst, in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).
- ↑ Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).
- ↑ Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).
- ↑ Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).
- ↑ Recital 67 sentence 2 GDPR.
- ↑ Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).
- ↑ Recital 67 sentence 1 GDPR.
- ↑ Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).
- ↑ Recital 70 GDPR.
- ↑ Recital 71 sentence 1 GDPR.
- ↑ Recital 71 sentence 1 GDPR.
- ↑ Recital 28 sentence 1 GDPR, such as Hansen, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); Pötters, Böhm, in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).
- ↑ Pötters, Böhm, in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).
- ↑ Klar, Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and Ziebarth, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).
- ↑ Klar/Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 4(5) GDPR, margin number 9 (C.H. Beck 2020)
- ↑ Klar, Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).
- ↑ Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).
- ↑ Recital 26 GDPR.
- ↑ Hullen, Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.
- ↑ Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).
- ↑ Jahnel, in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).
- ↑ Jahnel, in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and CJEU, C-25/17, Johovan Todistajat, 10 July 2018 (available here).
- ↑ Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).
- ↑ Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).
- ↑ Jahnel, in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).
- ↑ CJEU, Case C-200/23, Agentsia po vpisvaniyata, 4 October 2024, margin number 72 (available here).
- ↑ Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 4(7) GDPR, margin number 9 (C.H. Beck 2020), with further references.
- ↑ Hartung, Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 4(7) GDPR, margin number 10 (C.H. Beck 2020)
- ↑ WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available here).
- ↑ Jahnel, DSGVO, Article 4(7), marginal number 15, (Jan Sramek Verlag 2021)
- ↑ Jahnel, DSGVO, Article 4(7), marginal number 22, (Jan Sramek Verlag 2021)
- ↑ CJEU, Case C-200/23, Agentsia po vpisvaniyata, 4 October 2024, margin number 73 (available here).
- ↑ Hartung, in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).
- ↑ CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available here).
- ↑ CJEU, C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available here), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.
- ↑ CJEU, C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available here), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.
- ↑ CJEU, C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available here), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.
- ↑ EDPB, 'Opinion 22/2024 on certain obligations following from the reliance on processor(s) and sub-processor(s)', 7 October 2024, margin number 17 (available here).
- ↑ Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).
- ↑ Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).
- ↑ WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available here).
- ↑ WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available here).
- ↑ WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available here).
- ↑ WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available here) and Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).
- ↑ Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and Jahnel, in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).
- ↑ EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available here).
- ↑ More precise, Article 13(1)(e) GDPR, Article 14(1)(e) GDPR, Article 15(1)(c) GDPR.
- ↑ Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).
- ↑ Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).
- ↑ Hartung, in Kühling/Buchner, DS-GVO BDSG, Article 4(9) GDPR, margin number 6 (C.H. Beck 2020)
- ↑ See Article 4(8) GDPR and Article 4(10) GDPR.
- ↑ See Article 4(9) GDPR, “whether a third party or not“.
- ↑ Pötters, Böhm, in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).
- ↑ Article 4(9) sentence 2 GDPR.
- ↑ Recital 31 sentence 1 GDPR.
- ↑ See also Article 13(1)(d) GDPR, Article 14(2)(b) GDPR.
- ↑ Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).
- ↑ Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).
- ↑ EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available here); and Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).
- ↑ EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available here); and Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).
- ↑ Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).
- ↑ Mantz, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).
- ↑ Wording: “otherwise processed”.
- ↑ Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).
- ↑ Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).
- ↑ Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).
- ↑ Mantz, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 180 (Nomos 2018).
- ↑ Mantz, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).
- ↑ Mantz, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018); Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).
- ↑ Mantz, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).
- ↑ Mantz, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).
- ↑ Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).
- ↑ Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin numbers 106, 108 (Carl Heymanns Verlag 2018).
- ↑ Additionally, member states may maintain or introduce further conditions and limitations for the processing of genetic data, Article 9(4) GDPR.
- ↑ Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017).
- ↑ Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017); Kampert, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 182 (Nomos 2018).
- ↑ Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 96 (C.H. Beck 2018).
- ↑ Usually through the creation of referential patterns that are than compared with the data subject later for unique identification, see Kampert, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 183 (Nomos 2018).
- ↑ Also called 'Dactyloscopic data'.
- ↑ Recital 51 GDPR, “The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person”.
- ↑ Kampert, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).
- ↑ Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 111 (Carl Heymanns Verlag 2018).
- ↑ Kampert, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).
- ↑ Recital 35 sentence 2 GDPR.
- ↑ Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and Sydow, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).
- ↑ Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and Sydow, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).
- ↑ Petri, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 15 GDPR, margin number 5 (NOMOS 2019).
- ↑ Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 118 (Carl Heymanns Verlag 2018).
- ↑ Pötters, Böhm, in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 59 (Deutscher Fachverlag 2018); Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018).
- ↑ See Recital 35, “Personal data concerning health should include […] information derived from the testing or examination of one’s body, substances, such as genetic and biological samples”.
- ↑ However, in some cases (e.g. the public health sector) sensitive data can be necessary to be processed without the data subjects consent, see Recital 54 GDPR.
- ↑ WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available here).
- ↑ WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available here).
- ↑ WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 5 (available here).
- ↑ CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 29 (available here).
- ↑ CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 30 (available here).
- ↑ WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 6 (available here).
- ↑ WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available here).
- ↑ Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 235 (Oxford University Press 2020).
- ↑ CJEU, C-131/12, Google Spain, 13 May 2014, margin number 55 (available here).
- ↑ WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available here).
- ↑ WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available here).
- ↑ Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 127 (Carl Heymanns Verlag 2018).
- ↑ Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 129 (Carl Heymanns Verlag 2018).
- ↑ For example, in German ("Unternehmen"), in French ("entreprise") and in Spanish ("empresa").
- ↑ See Recital 150 sentence 3 GDPR.
- ↑ Recital 37 sentence 1 GDPR.
- ↑ Recital 37 sentence 1 GDPR.
- ↑ Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 58 (C.H. Beck 2017).
- ↑ Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 76 (ottoschmidt 2018).
- ↑ For example through to have personal data protection rules implemented; see Recital 37 sentence 1 GDPR.
- ↑ Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 78 (ottoschmidt 2018).
- ↑ Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 80 (ottoschmidt 2018).
- ↑ Ziebarth, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 221 (Nomos 2018).
- ↑ Pötters/Böhm, in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 70 (Deutscher Fachverlag 2018), as “group privilege light”.
- ↑ Feiler, Forgó, EU-DSGVO, Article 4 GDPR, margin number 49 (Verlag Österreich 2017).
- ↑ See Article 46(2)(b) GDPR.
- ↑ Recital 117 GDPR.
- ↑ See Recital 22 sentence 2 GDPR.
- ↑ Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 275 (Oxford University Press 2020).
- ↑ EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.
- ↑ Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 276 (Oxford University Press 2020).
- ↑ For a list of relevant criteria, see Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).
- ↑ Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).
- ↑ See Recital 124 sentence 3 GDPR.
- ↑ See Recital 22 sentence 2 GDPR.
- ↑ Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 282 (Oxford University Press 2020); and again EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.
- ↑ Google, EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 53, 56; EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 25.
- ↑ For example, some commercial activity may be too far removed from the processing of personal data by an entity to bring the data processing non-EU entity within the scope of EU data protection law, see EDPB, Guidelines 3/2018 on the territorial scope of the GDPR, 12 November 2019, p. 7 f. (available here).
- ↑ Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 284 (Oxford University Press 2020).
- ↑ For a list of relevant criteria, see Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 285 (Oxford University Press 2020).
- ↑ See Article 4(22) GDPR.
- ↑ See Article 56 GDPR.
- ↑ Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 289 f. (Oxford University Press 2020).
- ↑ Especially regarding the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union, see Article 4(24) GDPR.
- ↑ Article 1(1)(b)(i) Directive (EU) 2015/1535.
- ↑ For example, surgeries making use of electronic equipment, electronic catalogues or ticket reservations within a shop, electronic video arcade games, see Annex I(1.) Directive (EU) 2015/1535.
- ↑ Article 1(1)(b)(ii) Directive (EU) 2015/1535.
- ↑ See also see Annex I(2.) Directive (EU) 2015/1535.
- ↑ Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 298 (Oxford University Press 2020); and WP29, Guidelines on consent under Regulation 2016/679, WP259 rev.01, 10 April 2018, p. 24 (available here).
- ↑ Article 1(1)(b)(iii) Directive (EU) 2015/1535.
- ↑ See Annex I(3.) Directive (EU) 2015/1535.
- ↑ EUCJ, C-89/04, Mediakabel, 2 June 2005, margin numbers 38-39 (available here).
- ↑ Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 301 (Oxford University Press 2020).
- ↑ See Schröder, in Kühling, Buchner, DS-GVO BDSG, Article 4 26 GDPR, margin number 2 (C.H. Beck 2020).
- ↑ Available here.
- ↑ CJEU, C-386/08, Brita, 25 February 2010, margin number 42 (available here); see also Bygrave/Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 305 (Oxford University Press 2020).
- ↑ Bygrave/Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 305 (Oxford University Press 2020).
- ↑ Bygrave/Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p.306 (Oxford University Press 2020).
- ↑ Bygrave/Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 307 (Oxford University Press 2020).