Article 4 GDPR: Difference between revisions

From GDPRhub
 
(48 intermediate revisions by 11 users not shown)
Line 255: Line 255:
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span>
<span id="26">26. ‘'''international organisation'''’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.</span>


==Commentary==
==Relevant Recitals==
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR.
 
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation.
 
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation other language versions may be consulted to identify and resolve discrepancies.
 
===(1) Personal Data===
The principal concept of the GDPR is that of ''‘personal data''’, as the Regulation only applies to personal data and refers to it throughout the text of the GDPR.
 
Its definition developed from previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which <cite>“personal data” means any information relating to an identified or identifiable individual</cite>.
 
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfillment in order to satisfy the notion of personal data.
 
==== Relevant Recitals ====
{{Recital/14 GDPR}}
{{Recital/14 GDPR}}
{{Recital/15 GDPR}}
{{Recital/15 GDPR}}
{{Recital/26 GDPR}}
{{Recital/26 GDPR}}
{{Recital/27 GDPR}}
{{Recital/27 GDPR}}
{{Recital/28 GDPR}}
{{Recital/29 GDPR}}
{{Recital/29 GDPR}}
{{Recital/30 GDPR}}
{{Recital/30 GDPR}}


==== Any Information ====
==Commentary==
Article 4 GDPR provides a list of definitions used to further specify relevant terms used throughout the GDPR.
 
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build upon the already existing terms. Other definitions, however, are newly introduced, modified, or complemented with additional elements, and therefore require a new interpretation.
 
===(1) Personal data===
The principal concept of the GDPR is that of ''‘''personal data’, as the Regulation only applies to personal data and refers to it throughout the text of the GDPR.
 
Its definition developed from a previously existing definition under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Article 2 (a) Directive 95/46/EC].<ref name="com-2012-11-p9">Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available [https://data.consilium.europa.eu/doc/document/ST-5853-2012-INIT/en/pdf#page=9 here]).</ref> The Directive itself derives the definition from [https://rm.coe.int/1680078b37 Article 2 (a) Convention 108],<ref name="com-90-314-p19">Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314#page=19 p. 19].</ref> according to which "''personal data means any information relating to an identified or identifiable individual''".
 
The definition can be divided into the following four requirements: (1) ‘any information’; (2) ‘relating to’; (3) ‘an identified or identifiable’; (4) 'individual'.  The fulfilment of all of these aspects is required in order to satisfy the notion of personal data.
 
==== Any information ====
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.


In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]).
</ref> This position is supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [http://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Equally, the European Court of Human Rights stated that: <cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95].</ref>
</ref> This position is supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [http://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Equally, the European Court of Human Rights stated that <cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite>.<ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95].</ref>


Accordingly, personal data includes any information, no matter if it relates to the individual’s private and family life and information regarding the working, economic or social behavior of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> <blockquote><u>Example:</u> Petra is keeping various information on her smartphone. This includes information that she does not seem to treat as private, as she even shares them online on widely available platforms, with her name attached, but there is also information about her love and sex life in chats, that she clearly feels are very private. In addition she keeps data in relation to her job as an independent contractor on her phone. The GDPR covers all such information - no matter if the information is trivial or extremely sensitive, private or related to her business.</blockquote>The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6];  especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref> This means that also mere likeliness, predictions or planning information is covered by the GDPR, as long as it relates to a person.<blockquote><u>Examples:</u> Petra is also customer of a bank with a private and a commercial bank account. The bank does not only hold her name, address, contact data or passport information, but also all her transaction data. In addition the bank also uses a system to predict if Petra may default on her loan. For the prediction the Bank uses information about unpaid bills from a third party provider. The information is actually incorrect, as Petra always paid her bills. All such data is covered by the GDPR, allowing Petra to e.g. use her rights under the GDPR to take action against incorrect information associated with her.</blockquote>With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as video surveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> The GDPR deliberately does not specify the medium or types of information, following a "''tech neutral''" approach.
Accordingly, personal data includes any information, no matter if it relates to the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> <blockquote>{{Quote-example|Petra is keeping various information on her smartphone. This includes information that she does not seem to treat as private, as she even shares them online on widely available platforms, with her name attached, but there is also information about her love and sex life in chats, that she clearly feels are very private. In addition she keeps data in relation to her job as an independent contractor on her phone. The GDPR covers all such information - no matter if the information is trivial or extremely sensitive, private or related to her business.}}</blockquote>The information can either be 'objective' such as unchangeable characteristics of a data subject as well as 'subjective' in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6];  especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref> This means that also mere likeliness, predictions or planning information is covered by the GDPR, as long as it relates to a person.<blockquote>{{Quote-example|Petra is also customer of a bank with a private and a commercial bank account. The bank does not only hold her name, address, contact data or passport information, but also all her transaction data. In addition the bank also uses a system to predict if Petra may default on her loan. For the prediction the Bank uses information about unpaid bills from a third party provider. The information is actually incorrect, as Petra always paid her bills. All such data is covered by the GDPR, allowing Petra to e.g. use her rights under the GDPR to take action against incorrect information associated with her.}}</blockquote>With regards to the format or medium of the information, data of any type - may it be alphabetical, numerical, (photo)graphical, acoustic - is included. This includes information on paper as well as information stored on a computer in binary form or on tape, such as video surveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions,<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> The GDPR deliberately does not specify the medium or types of information, following a 'tech neutral' approach.


==== Relating To ====
====Relating to====
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. ''where the information, by reason of its <u>content</u>, <u>purpose</u> or <u>effect</u>, is linked to a particular person''.<ref>CJEU,  Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref>
The information needs to relate to an individual. In accordance with the WP29,<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. "''where the information, by reason of its <u>content</u>, <u>purpose</u> or <u>effect</u>, is linked to a particular person''".<ref>CJEU,  Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref>


The content of the information is ''<nowiki/>'relating to''<nowiki/>' a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee.</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> <blockquote><u>Examples:</u> A marketing company's system identifies twenty different groups within the French society. They assign different income levels, spending behaviors and political views to these groups. This information is not covered by the GDPR. However, once the company assigns Felix's profile to such a group, claiming that he would be conservative, mid-level income and open to spending his income on travels, this information now relates to Felix and is covered by the GDPR.</blockquote>Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref name=":0">''Klar/Kühling/Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4(2) GDPR, margin number 38 (C.H. Beck 2020)</ref> However, when information on objects also concerns individuals, it can relate to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behavior.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Equally, information from satellite images allow to find out if a person can afford a large property or a swimming pool, if the image can be linked to an individual.<ref name=":0" /> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref><blockquote><u>Examples:</u> A controller uses unique IDs of devices to target advertisement and generate other statistics.</blockquote>Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>
The content of the information is ''<nowiki/>'''relating to' a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee.</ref> On the contrary, information relating to a larger group of people without any possibility to single out a individual is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref><blockquote>{{Quote-example|A marketing company's system identifies twenty different groups within the French society. They assign different income levels, spending behaviours, and political views to these groups. This information is not covered by the GDPR. However, once the company assigns Felix's profile to such a group claiming that he would be conservative, mid-level income, and open to spending his income on travels this information now relates to Felix and is covered by the GDPR.}}</blockquote>Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref name=":0">''Klar/Kühling/Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4(2) GDPR, margin number 38 (C.H. Beck 2020)</ref> However, when information on objects also concerns individuals, it can relate to them indirectly. For example, the objective value of a house allows others to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Also, Geodata (like GPS data and coordinates) allows others to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Equally, information from satellite images could be used to find out if a person can afford a large property or a swimming pool, provided that the image can be linked to an individual.<ref name=":0" /> This is particularly relevant in the current technological landscape, considering the wealth of information which can be extracted from a growing number of personal devices, wearables and RFID-Chips, especially as these devices become increasingly associated to their owners or users.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref> <blockquote>{{Quote-example|A controller uses unique IDs of smart watches, smart phones and connected cars to collect information about the use of these devices. These devices are all used by a single person, so in fact the use of these devices also 'relate[s] to' a natural person.}}</blockquote>Furthermore, the purpose of the information can determine whether it is 'related to a person', where it is used to change their particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>


==== Identified or Identifiable ====
====Identified or identifiable====
The person to which the information relates must also be identified or identifiable.  
The person to which the information relates must also be identified or identifiable.  


A person is “identified” where it can be distinguished or 'singled out' from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several 'identifiers' listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the Working Party 29 like telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Note that the name of a person is therefore not necessarily required to identify an individual given such typically more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>
A person is "identified" when they can be directly distinguished or "singled out" from a larger group of persons, based on the information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This can be achieved through several 'identifiers' listed by [[Article 4 GDPR#1|Article 4(1) GDPR]], such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the Working Party 29 like telephone number, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Note that the name of a person is therefore not necessarily required to identify an individual as there are often more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref><blockquote>{{Quote-example|A controller holds the phone number of data subjects, but not the names. The users are still 'identified' by that number and the GDPR applies.}}{{Quote-example|Example: 'Ursula Schmidt' is such a generic name, that it may not be identified or even identifiable without additional information or context. 'Ursula von der Leyen' may be so specific that it is identifiably the president of the European Commission.}}</blockquote>A person is "'identifiable' when they have not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> It can be unclear what is still 'identifiable' and what is not anymore. Different people may have different abilities to identify a person, and different contexts or situations may lead to different answers as to the person being identifiable. Recital 26 clarifies that "''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used... either by the controller or by another person to identify the natural person''".


A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. In this regard, Recital 26 sentence 4 GDPR adds that in order ''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''
Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from any other entities to identify a person. However, the 'reasonable likeliness' of such information being used by the controller or a third party, narrows the approach. In this regard, Recital 26 adds that in order "''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification... the available technology at the time of the processing and technological developments''".


In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitor.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref>
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual, taking into account the use of state-of-the art tools, available sources, costs, time, and effort requried to identify the individual. The assessment is factual and is not limited to lawful means to identify a person, when it is reasonably likely that an actor could also use unlawful ways to identify a person.<blockquote>In [[CJEU - C-582/14 - Patrick Breyer|C-582/14 ''Breyer'']] the CJEU had to consider if IP addresses enable the identification of a natural person. The IP address is the number under which a computer or smartphone can be reached over the internet. Almost every controller exchanging information with a data subject over the internet will have to use the IP addresses. IP addresses can be dynamic (meaning the number is lost every 24 hours or every time a customer restarts their internet modem) or fixed (which means the number is always associated with the same customer). It may be that such a number is associated with a user account, in which case it becomes personal data. Even if the number itself may not be linkable by a controller, governments but also private entities may have legal powers to access subscriber details in relation to the IP-address. The CJEU found that even in such cases, the IP address can constitute personal data.<ref>CJEU Case C‑582/14, ''Breyer'', 19.10.2016, margin number 49 (available [[CJEU - C-582/14 - Breyer|here]]).</ref>
{{Quote-CJEU|"[A] dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data [...] in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person."|CJEU - C-582/14 - Breyer|49}}</blockquote>This example from case law shows that many data types may constitute personal data in one situation and not in another situation. Usually controllers and processors cannot, for example, determine if an IP address in their log files is dynamic or fixed. In practice this may mean that controllers or processors choose to treat all IP addresses as if they are personal data, to ensure compliance with the GDPR.


Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.
Furthermore, taking the increasing accessibility of information through means such as big data technologies and device fingerprinting into consideration, measures to successfully identify individuals are becoming increasingly effective.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Additionally, because more information is continuously added to individual data sets and stored over a longer period of time, persons are significantly more likely to be identified.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref>


==== Natural Person ====
==== Natural person====
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR.</ref> but granted to all natural persons according to Article 8 of the EU's Charter of Fundamental Rights, according to which “''Everyone has the right to the protection of personal data concerning him or her.''.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><blockquote><u>Example:</u> An third country immigrant entered the EU illegally. Once she arrives she makes a WhatsApp call to inform her family back home that she survived the trip and is now in the EU. Given that the geographic application of Article 2 GDPR is now triggered, WhatsApp has to grant her all rights under the GDPR - independent of her immigration status or citizenship. This is because the GDPR follows a human rights approach.</blockquote>Starting from this definition, national legislators usually limit it from to moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Following up with the GDPR, information relating to deceased persons is then not considered personal data.<ref>See Recital 27 sentence 1 GDPR.</ref> However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR.<blockquote><u>Example:</u> The health records of a deceases patient are not protected by the GDPR anymore. However, most EU Member States have various rules relating the the use of health data or civil law provisions in relation to the right to privacy that may still cover information of deceased persons.</blockquote>As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC].</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref>
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR.</ref> but granted to all natural persons according to Article 8 of the EU Charter of Fundamental Rights ("''Everyone has the right to the protection of personal data concerning him or her''").<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref><blockquote>{{Quote-example|third country immigrant entered the EU illegally. Once she arrives she makes a WhatsApp call to inform her family back home that she is safe and is now in the EU. Given that the geographic application of Article 2 GDPR is now triggered, WhatsApp has to grant her all rights under the GDPR - independent of her immigration status or citizenship. This is because the GDPR follows a human rights approach.}}</blockquote>Starting from this definition, national legislators usually limit it from to moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Following up with the GDPR, information relating to deceased persons is then not considered personal data.<ref>See Recital 27 sentence 1 GDPR.</ref> However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional, or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through their relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on [[Article 4 GDPR#13|Article 4(13) GDPR]].<blockquote>{{Quote-example|The health records of a deceased patient are not protected by the GDPR. However, most EU Member States have various rules relating the the use of health data or civil law provisions in relation to the right to privacy that may still cover information of deceased persons.}}</blockquote>As the definition is limited to natural persons, information on legal persons is also generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC].</ref> national data protection laws, or constitutional laws sometimes grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref> Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. This is particularly relevant where the information on a legal person allows one to derive information on a natural person. For example, a company name or mail address may be related to a natural person and therefore constitute personal data. This is especially common for smaller, family run, or one person businesses/enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><blockquote>{{Quote-example|'Marta O'Connel's Plumbing of Limerick Ltd.' is a limited company and not directly considered a 'natural person' under the GDPR. However, the sole owner and manager is Marta O'Connel and there is also no other female plumber in the whole province of Limerick. Therefore, it is easy to identify the natural person behind the legal entity. Information about 'Marta O'Connel's Plumbing Ltd.' going bankrupt therefore clearly also relates to an identifiable natural person and is, as such, covered by the GDPR.}}</blockquote>


Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref><blockquote><u>Example:</u> '<nowiki/>''Marta O'Connel's Plumbing of Limerick Ltd.''<nowiki/>' is a limited company and not directly subject to the GDPR. However, the sole owner and manager is Marta O'Connel. There is also no other female plumber in the whole province of Limerick, so it is easy to identify the natural person behind the legal entity. Information about '''Marta O'Connel's Plumbing Ltd.''" going bankrupt is therefore clearly also relating to an identifiable natural person and therefore covered by the GDPR.</blockquote>
====Anonymous data====
Personal data is often contrasted with 'anonymous' data. Anonymous data is data relating to a person that is not identifiable. The GDPR does not protect such data and controllers or processors are free to use such data (unless there are limits under other applicable law).<blockquote>{{Quote-example|Employees can participate in an internal vote. The ballots are thrown into a ballot box and mixed. The votes are properly anoymized. In a digital system, data can be stored without any linked personal information (like the user IDs). If the remaining information is anoynmous data and not covered by the GDPR.}}</blockquote>In practice, it gets increasingly hard to truly anonymise personal data, especially when data is not very limited and uniform, or can be connected with other available information. New methods and technologies, such as big data analytics and artificial intelligence, are able to match and connect information that humans may not identify as being related.<blockquote>{{Quote-example|In 2006 the internet company AOL released 20 million searches that were entered into its search engine over three months. The searches of users could be connected via an anonymous ID. As many users entered personal information in the search box, the New York Times was able to quickly find the relevant users. AOL deleted the file later, but it was already widely copied.}}</blockquote>Some technical solutions that may be useful or even required under the GDPR (e.g. from a security perspective under [[Article 32 GDPR]] or as a means of data minimisation under [[Article 5 GDPR|Article 5(1)(c) GDPR]]) can get confused with techniques to truly anonymise data. <blockquote>{{Quote-example|A payment provider and an airline strike a cooperation deal. When customers enter an email address during the airline booking process and the payment provider has the same email address in its files, only the payment provider will be shown as a payment option. The airline pays a lower transaction fee in return. To limit the exchange of customer data, they agree to only share 'hashes' of the email, which is a cryptographic fingerprint of the email address. While you cannot regenerate the email address from the hash value, everyone in possession of the email address can calculate the same hash value and see that the hash matches the email address. The technicians tell their Data Protection Officer that they only exchange anonymous data and there are no privacy issues involved. The Data Protection Officer, however, realises that the airline can single out the relevant customers. The data is therefore personal data and the system falls under the GDPR.}}</blockquote>


==== Further Examples of Personal Data Subject to the CJEU ====
====Examples of personal data in the CJEU's case law====
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref>
There are a number of data types that were already the subject of CJEU case law: 
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref>
*Name, date of birth, nationality, gender, ethnicity, religion and language;<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref>
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref>
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities;<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref>
*Municipality, information concerning the earned and unearned income and assets of a person;<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref>  


*Data which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref>
*Salaries of employees of a public body;<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref>


*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref>
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies;<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref>


*The times when working hours begin and end, as well as the corresponding breaks and intervals<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref>
*Working hours and times, as well as the corresponding breaks and intervals;<ref>CJEU, C-342/12, Worten, 30 May 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-342/12&language=EN here]).</ref>
*Telephone numbers, employment and hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref>
*Telephone numbers, employment and hobbies;<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref>


*Dynamic IP address<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref>
*Dynamic IP address;<ref>CJEU, C-582/14, Breyer, 19 October 2016 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-582/14 here]).</ref>
*Video surveillance<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref>
*Video surveillance;<ref>CJEU, C-212/13, Ryneš, 11 December 2014 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-212/13 here]).</ref>
*Written exams<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref>
* The content of written exams;<ref>CJEU, C‑434/16, Nowak, 20 December 2017 (available [https://curia.europa.eu/juris/liste.jsf?language=de&num=C-434/16 here]).</ref>
*Fingerprints<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref>
*Fingerprints.<ref>CJEU, C‑291/12, Schwarz, 17 October 2013 (available [https://curia.europa.eu/juris/liste.jsf?num=C-291/12&language=DE here]).</ref>
As always, whether or not data is actually personal data is a matter of context and case-by-case analysis.


===(2) Processing ===
===(2) Processing===
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref>
Processing is another central requirement for the application of the GDPR. It is defined as "''any operation or set of operations which is performed on personal data''".


The notion of processing is formulated broadly by the GDPR through an enumeration of several operations:
====Any operation or set of operations====
The notion of processing is formulated broadly by the GDPR as 'any operation or set of operations'. The inclusion of 'a set of operations' means that, within the GDPR, the word 'processing''<nowiki/>''' may refer to a single processing operation or a set of any number of operations.


*'''Collection''' (targeted procurement of single pieces of data), such as offering online registrations or contact forms<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).</ref>
The term processing is further explained by a list of non-exhaustive examples: 
*'''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors
*Collection (targeted procurement of single pieces of data), such as offering online registrations or contact forms;<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).</ref>
*'''Organisation''' (systematic ordering that enhance access and evaluation of information), such as the allocation of information within databases
* Recording (continuous procurement of data flows), such as operating surveillance cameras or similar sensors;
*'''Structuring''' (ordering data according to certain criteria), e.g. in numerically or alphabetical order<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref>
*Organisation (systematic ordering to enhance access and evaluation of information), such as the allocation of information within databases;
*'''Storage''' (saving information to a physical and readable format), such as on information on paper, files, disks, drives or cloud servers<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref>
* Structuring (ordering data according to certain criteria), e.g. in numeric or alphabetical order;<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref>
*'''Adaptation''' (adjustments to the content of information according to specific criteria), e.g. updating to information on age, address or income<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref>
*Storage (saving information to a physical and readable format), such as information on paper, files, disks, drives or cloud servers;<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref>
*'''Alteration''' (changes to the form or content of data), such as corrections, pseudonymisation or anonymization<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref>
*Adaptation (adjustments to the content of information according to specific criteria), e.g. updating information on age, address or income;<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref>
*'''Retrieval''' (accessing stored information), for example loading information to be displayed on a device<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref>
*Alteration (changes to the form or content of data), such as corrections, pseudonymisation or anonymisation;<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref>
*'''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref>
*Retrieval (accessing stored information), for example loading information to be displayed on a device;<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref>
*'''Use''' (catching term for all active operations conducted on personal data), e.g. using addresses to deliver orders or mails<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref>
*Consultation (accessing stored information through targeted searches), such as using search routines to find and display data;<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref>
*'''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer information with another company
* Use (catch-all term for all active operations conducted on personal data), e.g. using addresses to deliver orders or mails;<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref>
*'''Disclosure by dissemination''' (untargeted distribution of information to unlimited recipients), e.g. in newspapers, radio or tv broadcasting<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref>
*Disclosure by transmission ('pushing' information to recipients or other third parties), such as sharing customer information with another company;
*'''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on websites or search engines<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref>
*Disclosure by dissemination (untargeted distribution of information to unlimited recipients), e.g. in newspapers, radio or tv broadcasting;<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref>
*'''Alignment''' (comparison of information with other, specific requirements), such as grid investigations or ‘dragnet’ actions
*Disclosure by otherwise making available (generally any other form of disclosure), such as providing information on websites or search engines;<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref>
*'''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR)<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref>
*Alignment (comparison of information with other, specific requirements), such as grid investigations or ‘dragnet’ actions;
*'''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation of information on a website<ref>Recital 67 GDPR.</ref>
*Combination (merging information), such as profiling (see also Article 4(4) GDPR);<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref>
*'''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref>
*Restriction (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation of information on a website;<ref>Recital 67 GDPR.</ref>
*'''Destruction''' (physically destroying the data carrier), such as shredding of files<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref>
*Erasure (irreversible rendering of information impossible to access), such as overwriting data multiple times;<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref>
*Destruction (physically destroying the data carrier), such as shredding of files.<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref>
The only major exception to the above is where the controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref>


Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref>
====Performed on personal data====
To be considered as 'processing' the operation in question has to be performed on personal data. Processing of other data does not fall under the definition.


'''<u>Relevant Recitals</u>'''
====Whether or not by automated means ====
{{Recital/15 GDPR}}
Processing can be carried out by fully automated, semi-automated, or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref><blockquote>{{Quote-example|A person manually enters names into a system. The names are processed. The data is then stored and never looked at again. Storage is also processing and needs to comply with the GDPR. After years the hard drive that the data was stored on gets shredded. The destruction equally constitutes processing.}}</blockquote>


===(3) Restriction of Processing===
===(3) Restriction of processing===
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref>
Restriction is a specific form of processing. The restriction of processing means neither a complete prohibition to process nor an erasure of personal data, it is best described as a freezing of personal data for a certain period of time.


Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref>
Usually, restrictions to the processing of personal data occur when the data is not required for the purpose for which it was originally collected, but cannot be deleted due to legal obligations.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).</ref> The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.<blockquote>{{Quote-example|Greta finds out that a credit ranking agency holds wrong information about her. As a consequence she cannot get a cell phone contract. The credit ranking agency has a huge backlog when correcting data. In the meantime the wrong information can be marked as contested and not used in the system.}}</blockquote>


Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].
==== Marking of stored personal data====
The provision only applies to stored personal data. Personal data that is not at rest do not seem to be subject to a restriction of processing.


The restriction of processing can also be initiated by request of a data subject under the requirements of [[Article 18 GDPR|Article 18(1) GDPR]] or a data protection authority according to [[Article 58 GDPR|Article 58(2)(g) GDPR]]. For more information see the commentary on these provisions.
Marking the data is usually done by labels in systems or any other similar approach.  


'''<u>Relevant Recitals</u>'''
====Aim of limiting their processing in the future ====
{{Recital/67 GDPR}}
The restriction is not just limited to the marking of data, but must have the aim of limiting certain personal data only for very limited purposes.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).</ref> In practice this means that systems also have to react to the marking and, for example, not include the data in other processing operations anymore.


===(4) Profiling===
Obviously the limitation can only have an effect in the future. The fact that the law only requires one to 'aim' for the limitation should not be understood that the limitation must not be fully implemented.
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).</ref> These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref>


Profiling does not require knowledge on the civil identity of the data subject.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).</ref> It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.<ref>Recital 30 sentence 1 GDPR.</ref> as well as information automatically collected from smart devices, wearables or cars.<ref>Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref>
====Implementation====
Technically, the restriction is realized through markers on the data in question which block it from further processing in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).</ref> In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.<ref>Recital 67 sentence 2 GDPR.</ref> In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage system with access restrictions.<ref>Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).</ref>  


The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.<ref>Recital 67 sentence 1 GDPR.</ref> In case, the data subject needs to be informed about the restriction of processing of their personal data according to [[Article 18 GDPR|Article 18(3) GDPR]].


*Maintaining customer profiles for more efficient marketing<ref>Recital 70 GDPR.</ref>
===(4) Profiling===
*Operating systems for credit rating/scoring<ref>Recital 71 sentence 1 GDPR.</ref>
Profiling is a specific form of processing. The concept is used in various provisions of the GDPR such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], or automated decision making, see [[Article 22 GDPR]]. Profiling also triggers information duties under [[Article 13 GDPR|Articles 13(2)(f)]] and [[Article 14 GDPR|14(2)(g)]] GDPR; access rights under [[Article 15 GDPR#1h|Article 15(1)(h) GDPR]]; or the the need to perform data protection impact assessments under [[Article 35 GDPR|Article 35(3)(a) GDPR]].
*Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref>


Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref>
==== Evaluation of personal aspects====
Profiling is defined as a processing operation with the purpose of evaluating personal aspects of a natural person.


'''<u>Relevant Recitals</u>'''
Despite the rather specific general meaning of 'profiling', there is no minimal threshold of how much data must be used to constitute profiling or how personal or sensitive the personal aspects should be. The definition is therefore very broad and includes any way of calculating personal aspects of individuals.
{{Recital/24 GDPR}}
{{Recital/30 GDPR}}
{{Recital/60 GDPR}}
{{Recital/71 GDPR}}


===(5) Pseudonymisation===
Profiling is typically done by the application of statistical-mathematical measures to personal data that produce analysis of predictions of personal aspects.<ref>''Helfrich'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).</ref>
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.


Examples for the pseudonymisation of personal data include:
==== Automatic processing ====
Manual review of personal data to evaluate personal aspects does not constitute profiling, as the definition requires 'automated processing'.


*Replacement of names through ID’s, codes or aliases<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref>
====Exemplary list====
* Encryption or hashing of data<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref>
The definition provides a non-exhaustive list over common types of profiling, such as:
*Pixelation of video materials<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).</ref>


Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref>
*performance at work;
*economic situation;
*health;
*personal preferences;
*interests;
*reliability;
*behaviour;
*location; or
*movements.


The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref> And while some scholars argue for a ‘subjective anonymisation’,<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).</ref> the party undertaking the pseudonymisation is typically able to reassign the data subject.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).</ref>
Practical examples of 'profiling' are therefore:


In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref> In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref>
*Creating customer preferences based on previous purchases or clicks;
*Maintaining customer profiles for more efficient marketing;<ref>Recital 70 GDPR.</ref>
*Operating systems for credit rating/scoring;<ref>Recital 71 sentence 1 GDPR.</ref>
*Operating e-Recruitment Systems.<ref>Recital 71 sentence 1 GDPR.</ref>


*Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]])
===(5) Pseudonymisation===
*Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]])
Pseudonymisation is a form of processing that alters personal data so that identifying information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. The aim is to reduce risks for the data subjects and help controllers and processors to meet their obligations under the GDPR,<ref>Recital 28 sentence 1 GDPR, such as ''Hansen'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); ''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).</ref> such as data minimisation or as part of a data security concept. 
*Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]])
*Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]])
*Implementing Data Protection by Design and Default ([[Article 25 GDPR]])


'''<u>Relevant Recitals</u>'''
Pseudonymised data is a specific type of personal data and still falls under all relevant provisions of the GDPR. There are however some provisions that refer to pseudoymized personal data and treat it (slightly) different than personal data: 
{{Recital/26 GDPR}}
{{Recital/28 GDPR}}
{{Recital/29 GDPR}}


===(6) Filing System===
*Implementing security safeguards (see [[Article 32 GDPR|Article 32(1)(a) GDPR]]);
The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]). It is complementing the approach of technological neutrality followed by the GDPR.
*Handling of personal data breaches (see [[Article 34 GDPR|Article 34(3)(a) GDPR]]);
*Changing purposes of data processing ([[Article 6 GDPR|Article 6(4)(e) GDPR]]);
*Serving principles of data minimization and security ([[Article 5 GDPR|Article 5(1)(c)(f) GDPR]]);
*Implementing Data Protection by Design and Default ([[Article 25 GDPR]]).


A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> This is already satisfied, when personal data on a particular person is retrievable.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'', C-25/17, Johovan Todistajat, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref>
====No longer attributed to a specific data subject====
In order to count as pseudonymised data, the personal data must be processed in a way that cannot be attributed to specific data subject without the use of additional information. The pseudonymised data set itself, therefore. does not relate to an identified or identifiable person.


The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref>
==== Additional information permitting attribution====
Information allowing attribution of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).</ref>


Examples are:
====Implementation====
Examples for the pseudonymisation of personal data include:


*Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref>
*Replacement of names through ID’s, codes or aliases;<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and ''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).</ref>
*Saved letter-correspondence with customers<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref>
*Encryption of personal data;<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4(5) GDPR, margin number 9 (C.H. Beck 2020)</ref>
*Covid-19-Guest-Lists sorted by date<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref>
*Hashing of personal data.<ref>''Klar, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).</ref>


'''<u>Relevant Recitals</u>'''
====Difference to anonymization====
{{Recital/15 GDPR}}
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from sentences 3 and 4 of Recital 26 GDPR, considering the cost, time, and available technology required to identify the data subject. However, considering the recent emergence of big data analytics and advanced data processing capabilities, the process of anonymisation is becoming increasingly difficult.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).</ref>
{{Quote-common-mistake|Pseudonymisation has to be distinguished from anonymisation. Anonymisation is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymised data.<ref>Recital 26 GDPR.</ref> Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore reversible.<ref>''Hullen'', Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.</ref>}}
=== (6) Filing system===
The definition of a 'filing system' is relevant for the application of the GDPR in cases of non-automated data processing (see [[Article 2 GDPR|Article 2(1) GDPR]]).


===(7) Controller===
====Set of personal data====
The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> In this regard, it the controller is to be distinguished from the processor, which is further explained in Article 4(8) GDPR.
A filing system is characterized through a structured set of personal data. The data can be stored within either single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require the storage of information on multiple persons. Storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref>  


The responsibilities of the controller are defined in [[Article 24 GDPR]]. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR.
====Structured by specific criteria====
A set of data is only a structured filing system if it is accessible according to specific criteria. The structure of the information must allow a targeted search of personal data.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).</ref> For example, when personal data on a particular person is 'retrievable' it already satisfies this requirement.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and ''CJEU'', C-25/17, Johovan Todistajat, 10 July 2018 (available [https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=C-25/17 here]).</ref>


In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co-controllership’ the entities have to determine their respective responsibilities for the processing within an agreement according to [[Article 26 GDPR]]. Important, however, is utlimately the factual influence on the processing of the personal data<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> see Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref>
====Typical examples====
Examples are:


For example, a joint controllership is assumed between
*Paper archives, sorted by name, date or any other system;
*Salary lists on employees;<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref>
*Saved letter-correspondence with customers;<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref>
*Covid-19-Guest-Lists sorted by date.<ref>''Jahnel'', in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).</ref>


* Search-Engines-Operators and the websites of which information is structured, presented and complemented with advertisements within search results<ref>''CJEU'', C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 here]), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.</ref>
===(7) Controller===
* Facebook and Administrators of Fan Pages on its social network<ref>''CJEU'', C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available [https://curia.europa.eu/juris/liste.jsf?num=C-210/16 here]), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.</ref>
The controller is the main addressee of obligations under the GDPR. The controller is defined as the body that determines the purposes and means of the processing. This broad definition of the concept of controller is intended to ensure the effective and complete protection of data subjects.<ref>CJEU, Case C-200/23, ''Agentsia po vpisvaniyata,'' 4 October 2024, margin number 72 (available [[CJEU - C-200/23 - Agentsia po vpisvaniyata|here]]).</ref>  
*Facebook and Websites that integrated a ‘Like Button’<ref>''CJEU'', C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-40/17 here]), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.</ref>


In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller according to [[Article 26 GDPR]]. For further information see the commentary on that provision.
====Objective approach====
The GDPR foresees that the controller must be determined based on the objective facts of the case. This means that mere declarations in contracts, privacy notices and alike do not constitute a binding determination of controllership. The objective approach requires a detailed assessment, but also prevents so-called 'forum shopping' and responsibility shifting.


'''<u>Relevant Recitals</u>'''
====Any natural or legal person====
{{Recital/79 GDPR}}
A controller can be any natural or legal person, public authority, agency or other body. Everyone with legal capacity can be a controller when processing personal data, including individuals, private legal entities, or government entities. It is necessary to assign the determination of purpose and means (see below) to a responsible entity. Departments, individual establishments, or other elements that are not legally independent form one controller together with the legal entity that they belong to.<ref>''Hartung'', in Kühling, Buchner, DS-GVO BDSG, Article 4(7) GDPR, margin number 9 (C.H. Beck 2020), with further references.</ref>


===(8) Processor ===
It is after all a matter of national law if, for example, workers councils within a company or individual government entities form a legally separate body or not. If they are legally separate holders of rights and duties, they can form a separate controller.
The processor is the next entity facing obligations from several provisions across the GDPR, complementing the concept of the controller explained in Article 4(7) GDPR. Any natural, legal person, public authority, agency or body that processes personal data on behalf of the controller qualifies as a processor.


The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref> Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref>
If a person within the controller acts outside of their assigned capacity and processes personal data for their own purpose, their acts cannot be attributed to the controller and they become their own controller, with their own responsibilities of any processing operation they may undertake.<ref>''Hartung, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4(7) GDPR, margin number 10 (C.H. Beck 2020) </ref><blockquote>{{Quote-example|In Member State 'A' schools are their own legal entity. In Member State 'B' schools are part of the Ministry of Education and are not separate holders of rights. In Member State 'A' the school is typically the controller for processing operations within it, while in Member State 'B' the Ministry is typically the controller. If the computer science teacher in either school decides to use a school server to host his own private software project, the teacher is typically considered a separate controller.}}</blockquote>


Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> provides some examples as references for controller-processor relationships:
====Determination====
The key element of the controller definition is the focus on the entity making the relevant determinations for any processing activity. The determinations of persons acting on behalf of an entity are attributed to that entity. It is necessary to review which entity, or element within an entity, objectively made determinations about the purpose and means. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref>


*Outsourcing of Callcenters for Customer Communications<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref>
Merely formal declarations are not relevant. Especially in complex situations where many players are involved in the processing operation, the proper identification of the controller may prove to be complex.<blockquote>{{Quote-example|Company 'A' offers an app to users. The head of the IT department suddenly decides that personal data of users will be processed for the purpose of product improvement and advertisement of the app itself. The CEO of the company does not raise any objections. Company 'A' is the controller for the processing operations and ultimately responsible for complying with the GDPR.}}</blockquote>
*Outsourcing of Mail Services<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref>
*Cloud Hosting and Grid Computing<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]) and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).</ref>
*A Separated Entity Specialized in Data Processing within a Group of Companies<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref>


When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of additional relevance is [[Article 28 GDPR]], that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on [[Article 28 GDPR|Article 28(3) GDPR]].
====Purposes====
Personal data may only be processed for a specified, explicit and legitimate purpose (see [[Article 5 GDPR|Article 5(1)(b) GDPR]]). The body that decides over the purpose is typically the controller. The determination of the purpose it the primary element to review when determining controllership.<ref>''Jahnel'', DSGVO, Article 4(7), marginal number 15, (Jan Sramek Verlag 2021)</ref>


A special form of the processor is the ‘sub processor’ engaged by the processor which requires another processing agreement and authorisation through the controller. For further information see the commentary on [[Article 28 GDPR|Article 28(2),(4) GDPR]].
====Means====
The means include the personal data that is processed to achieve the purpose; the duration of the processing; the recipients of personal data; as well as the technical means to process personal data, such as hardware or software.<ref>''Jahnel'', DSGVO, Article 4(7), marginal number 22, (Jan Sramek Verlag 2021)</ref> The controller must only determine the means, but must not control them physically.<blockquote>{{Quote-example|A company uses an external service for statistical analysis. The systems of the external service collect personal data and calculate the results. The company does not even have access to the raw information. Nevertheless, the company has determined the purposes and means of the processing (including the described system) and is hence the controller.}}</blockquote>


'''<u>Relevant Recitals</u>'''
====Opening clause for a determination by EU or Member State law====
{{Recital/81 GDPR}}
Article 4(7) GDPR allows that specific EU or national law (''lex specialis'') may assign the controllership to a certain entity for specific processing operations. Such provisions typically define controllership when private entities act in the public interest or are fulfilling public tasks. The clause also allows Member States to clarify controllership among different public bodies or elements. Such explicit determinations in EU or national law should not be confused with generic national laws that assign certain duties to an entity without determining controllership itself.


===(9) Recipient===
In case national law makes such a determination, it should be ascertained whether that law specifies the controller or lays down the criteria applicable to its nomination.<ref>CJEU, Case C-200/23, ''Agentsia po vpisvaniyata,'' 4 October 2024, margin number 73 (available [[CJEU - C-200/23 - Agentsia po vpisvaniyata|here]]).</ref>
Another entity defined in the GDPR is the recipient. The notion of the recipient is kept very broadly, i.e. any party which personal data is disclosed to, independently of whether it is a third party or not. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]).</ref>


The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,<ref>More precise, [[Article 13 GDPR|Article 13(1)(e) GDPR]], [[Article 14 GDPR|Article 14(1)(e) GDPR]], [[Article 15 GDPR|Article 15(1)(c) GDPR]].</ref> the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind is, that the controller whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).</ref>
{{Quote-CJEU|"It must also be stated that, having regard to the broad definition of the concept of ‘controller’ within the meaning of Article 4(7) of the GDPR, the determination of the purposes and means of the processing and, where appropriate, the nomination of that controller by national law may not only be explicit but also implicit. In the latter case, that determination must nevertheless be derived with sufficient certainty from the role, task and powers conferred on the person or entity concerned [...]"|CJEU - C-200/23 - Agentsia po vpisvaniyata|74.}}


In this regard, it is discussed, whether a processor is also a recipient. One the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.<ref>See Article 4(8) GDPR and Article 4(10) GDPR.</ref> However, the concept of the recipient is completely independent of that of the third-party.<ref>See Article 4(9) GDPR, “whether a third party or not“.</ref> With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, [[Article 28 GDPR]] does not relieve the controller to inform the data subjects about its processors as recipients according to [[Article 13 GDPR|Article 13 to 15 GDPR]].<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).</ref>
====Joint controllership====
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co-controllership’ the entities have to determine their respective responsibilities for the processing within an agreement according to [[Article 26 GDPR]]. Important, however, is utlimately the factual influence on the processing of the personal data<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> (see Recital 79 GDPR). In this regard, the participation and influence on the purpose and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref>


Not considered as recipient are, on the other hand, particular units within a company, such as the staff council or dependent establishments of the controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).</ref> The wording of the provision suggests that the entity requires a particular degree of sovereignty in order to count as recipient.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 57 (C.H. Beck 2018) and ''Regenhardt'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 156 (Nomos 2018).</ref> Units that are inseparable part of the internal structure of the controller are therefore not to classify as recipients.
For example, a joint controllership is assumed between:


Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref>
*Search-Engine-Operators and the websites on which information is structured, presented and complemented with advertisements within search results;<ref>''CJEU'', C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131 here]), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.</ref>
*Facebook and the entity administering pages on the social network;<ref>''CJEU'', C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available [https://curia.europa.eu/juris/liste.jsf?num=C-210/16 here]), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.</ref>
*Websites that integrated elements of a third-party controller, such as a ‘Like Button’.<ref>''CJEU'', C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available [https://curia.europa.eu/juris/liste.jsf?num=C-40/17 here]), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.</ref>


'''<u>Relevant Recitals</u>'''
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller, as required by [[Article 26 GDPR]].<blockquote><u>EDPB Guidelines:</u> On this provision there are the [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en Guidelines 07/2020 on the concepts of controller and processor in the GDPR]</blockquote>
{{Recital/31 GDPR}}


===(10) Third Party===
===(8) Processor===
The concept of a third party complements the previously defined entities. It constitutes a negative delimitation, as any person different from the data subject, controller, processor or any other person authorized to process personal data by the controller. Its notion becomes mainly relevant in terms of evaluating of interests, such as in Article 6 (1)(f) GDPR.<ref>See also [[Article 13 GDPR|Article 13(1)(d) GDPR]], [[Article 14 GDPR|Article 14(2)(b) GDPR]].</ref>
In practice most controllers do not process all their personal data themselves, but use various external providers, such as hosting providers, SaaS providers or so-called 'Cloud' providers, that process data on their behalf. The GDPR regulates these 'processors', as well as the interplay between the controller and the processor.


Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).</ref> Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).</ref> Similarly, internal staff of the controller is not a third party, unless the employee uses personal data for own purposes outside of the employment context.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).</ref> In this case, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).</ref>
Once an entity qualifies as a 'processor', many provisions of the GDPR apply, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of additional relevance is [[Article 28 GDPR]], that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on [[Article 28 GDPR|Article 28(3) GDPR]].


'''<u>Relevant Recitals</u>'''
It should be noted that this definition includes the initial processor engaged directly by a controller as well as sub-processors along the processing chain (processors engaged by another processor).<ref>EDPB, 'Opinion 22/2024 on certain obligations following from the reliance on processor(s) and sub-processor(s)', 7 October 2024, margin number 17 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_opinion_202422_relianceonprocessors-sub-processors_en.pdf here]).</ref>
{{Recital/47 GDPR}}


===(11) Consent===
====Any natural or legal person====
Consent is the first legal basis mentioned in Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data. It can be given either by a written, electronic or an oral statement.<ref>Recital 32 sentence 1 GDPR.</ref> Examples are ticking a box or actively choosing technical settings that indicate the data subject’s acceptance of the proposed processing of his or her personal data.<ref>Recital 32 sentence 2 GDPR.</ref>
Just like a controller, a processor can be any natural person, legal person, public authority, agency, or body. Internal units that process personal data on behalf of another department within the same legal entity (e.g. an IT department) are not processors, but are part of the controller.


The notion of consent within the GDPR is different from its constitutional equivalent in [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(2) ECFR]. Consent in the GDPR is neither a waiver of fundamental rights, nor a justification for interferences with fundamental rights.<ref>''Klement'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 7 GDPR, margin number 18 (NOMOS 2019).</ref> Rather, it should be seen as an exception from the general prohibition of processing of personal data under [[Article 6 GDPR|Article 6(1) GDPR]].
====Processing on behalf of the controller ====
The most important distinction is that, unlike the controller, the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref>


To ensure that consent is not only a legal fiction, it requires additional and cumulative criteria, regulated within its definition and complemented through [[Article 7 GDPR]]. In order for consent to be valid, it has to be freely given, informed, specific and unambiguous. It is the controller’s duty to demonstrate that the data subject has given such consent to the processing of his or her personal data.<ref>[[Article 7 GDPR|Article 7(1) GDPR]], Recital 42 sentence 1 GDPR.</ref>
====Sub-Processors====
A special form of the processor is the 'sub-processor'. This is another processor, that is engaged by the processor. In theory there can be any number of sub-sub-processors. In practice such setups are very hard to manage for a controller. For further information see the commentary on [[Article 28 GDPR|Article 28(2) and (4) GDPR]].


'''Freely Given'''
====Distinction to a (joint) controller====
In practice major IT companies (usually 'processors') are often more in control of processing operations than their commercial customers (usually 'controllers'). They usually offer a standard product with very specific terms and conditions, while many controllers may not. Therefore, it can be difficult to distinguish a 'joint controller' or 'co-controller' from a processor.


Consent has to be freely given, which means that the data subject must have the option to say "no" as well. Whether the option to refuse is genuinely given depends on the processing operation and service as well as the respective roles of the controller and the data subject in a given transaction. For example, if an employee has to consent that his mobile phone is tracked for fraud prevention purposes it is highly unlikely that he or she has a realistic chance to object. In other words, employers, governments or companies (especially those with a dominant market position) will typically be able to force data subjects to consent against their true wishes. In this perspective, Recital 43 GDPR highlights that if there is a "''clear imbalance between the data subject and the controller''" consent should not be considered a valid legal basis for the processing<ref>Recital 43 sentence 1 GDPR.</ref>
====Roles are specific for each processing operation====
Usually each processor also conducts processing operations where it is itself the controller. This is also the case whenever the processor acts against the orders of the controller and processes personal data for further purposes. In all these situations, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref>


Examples where asymmetries of power and bundled consent usually occur are:
====Exemplary list====
*Relationships with public authorities<ref>Recital 43 sentence 1 GDPR, and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 98 (Carl Heymanns Verlag 2018).</ref>
In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> provides some references as examples of controller-processor relationships:
*Employer-employee-relationships<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 71 (C.H. Beck 2018).</ref>
* Use of major digital services with limited alternatives<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 73, 76 (C.H. Beck 2018).</ref>
Recital 43 and Article 7(4) GDPR further deal with the situation of "bundled consent", i.e. when the performance of a contract is made conditional on consent, or when consent to different processing operations is bundled into one single yes/no option for the data subject. Take the case of a controller which uses a contract form in which the data subject also agrees that personal data can be sold to a third party (without this being necessary for the performance of the core contract). The individual cannot modify the form and must sign it as it is. In these cases, consent shall not be considered freely given.<ref>Recital 43 sentence 2 GDPR.</ref> For further indications on the issue of bundled consent and the criteria to assess the freely given requirement, see [[Article 7 GDPR|Article 7(4) GDPR]].


'''Informed'''
*Outsourcing of call centers for customer communications;<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref>
*Outsourcing of mail services;<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref>
*Cloud Hosting and grid computing;<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]) and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).</ref>
* A separate entity specialized in data processing within a group of companies.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref>
<blockquote><u>EDPB Guidelines:</u> On this provision there are the [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en Guidelines 07/2020 on the concepts of controller and processor in the GDPR]</blockquote>


Consent should be sought using clear and plain language and be provided in an intelligible and easily accessible form. The information under Article 13 and 14 GDPR should therefore fully inform the data subject concerning the processing based on such consent. According to the most recent CJEU case-law, however, such information must not only be provided but also “digested” by the data subject.<ref>EUCJ, C‑61/19, Orange România, 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/liste.jsf?num=C-61/19&language=en here]).</ref> In particular, data subjects must be able to understand the circumstances of the processing of their personal data to estimate the consequences and implications of giving their consent.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin numbers 2, 5 (C.H. Beck 2020).</ref> This seems to give information a more substantive and functional role. Moreover, the information has to be presented in a manner which is clearly distinguishable from other matters, like terms and conditions. For more information, see the commentary on [https://gdprhub.eu/index.php%3Ftitle=Article_7_GDPR Article 7(2) GDPR].
===(9) Recipient===
The 'recipient' is an umbrella term and defined as anybody (like controllers, processors, third parties) to whom personal data is disclosed to. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]).</ref> The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,<ref>More precise, [[Article 13 GDPR|Article 13(1)(e) GDPR]], [[Article 14 GDPR|Article 14(1)(e) GDPR]], [[Article 15 GDPR|Article 15(1)(c) GDPR]].</ref> the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind this is that the controller, whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).</ref> Listing the recipients ensures that the data subject is fully informed as to the whereabouts of their personal data.


'''Specific'''
====Any natural or legal person====
Just like a controller or processor, a recipient can be any natural person, legal person, public authority, agency, or body. On the other hand, particular units within a company, such as the staff council or dependent establishments of the controller, are not considered recipients.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).</ref>


In accordance with the principle of transparency from [[Article 5 GDPR|Article 5(1)(b) GDPR]] consent must be provided for specific and legitimate purposes. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them separately.<ref>Recital 32 sentences 5, 6 GDPR.</ref> A blanket consent to all kinds of purposes is therefore not valid. For example, "''I agree to the processing of my data for different business purposes''" is not specific and therefore invalid.
====Disclosure====
The core element of the definition is the 'disclosure' of personal data. This includes any voluntary act of data sharing, including transmission, dissemination or otherwise making available (see Article 4(2) GDPR).<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4(9) GDPR, margin number 6 (C.H. Beck 2020)</ref>


The principle of specificity of consent (Article 4(11) GDPR) is confirmed by Article 6(1)(a) which requires consent to be given for “for one or more specific purposes”. This seems in line with the case law of the Court of Justice of the EU, according to which consent must refer to specific processing activities, clearly identified, <ref>CJEU, C‑673/17, Planet49, 1 October 2019, margin number 58-60 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> also in order to allow the user to effectively understand the operations being carried out.<ref>CJEU, C‑61/19, Orange România, 11 November 2020, margin number 46 (available [https://curia.europa.eu/juris/liste.jsf?num=C-61/19&language=en here]). This reading seems to be confirmed by ''Bucher, Petri'', in Kühling, Buchner, DS-GVO BDSG, Article 6 GDPR, margin number 20 (C.H. Beck 2020).</ref>
====Processors====
There is an ongoing discussion as to whether a 'processor' can also be considered a 'recipient'. On the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.<ref>See Article 4(8) GDPR and Article 4(10) GDPR.</ref> However, the concept of the recipient is completely independent of the third-party.<ref>See Article 4(9) GDPR, “whether a third party or not“.</ref> With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, [[Article 28 GDPR]] does not relieve the controller to inform the data subjects about its processors as recipients according to [[Article 13 GDPR|Article 13 to 15 GDPR]].<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).</ref>


'''Unambiguous'''
====Exception for public authorities====
Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref>


Consent must be given unambiguously in the form of clear and affirmative action. This can be checking a box ("opt-in") or a button in the digital environment. Conversely, silence, pre-ticked boxes or inactivity should not constitute consent.<ref>Recital 32 sentence 3 GDPR.</ref> This has been stressed through recent case law by the Court of Justice where a pre-checked checkbox which the user had to deselect in order to refuse their consent cannot show any active behaviour.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> Similarly, actions which are not clearly affirmative include the simple use of a webpage. A user may simply ignore that a webpage uses data in a certain way. This ambiguity extends to assigning certain actions a legal meaning through a disclaimer (e.g. "''by using our webpage you agree to X''"). Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/1 here]).</ref> In conclusion, if a user clicks a "''I agree''" button or a person clearly moves into a picture that is taken, these actions are clearly  unambiguous. Vice-versa, a user merely visiting a page or walking down a street that is under surveillance, does not necessarily act in an unambiguous fashion and therefore the consent may be invalid.
===(10) Third Party===
The term 'third party' is used to describe anyone other than the data subject. This notion becomes relevant mostly in terms of evaluating interests, such as in Article 6 (1)(f) GDPR.<ref>See also [[Article 13 GDPR|Article 13(1)(d) GDPR]], [[Article 14 GDPR|Article 14(2)(b) GDPR]].</ref>


'''Withdrawal'''
====Negative definition====
'Third party' constitutes a negative definition, as any natural or legal person, public authority, agency, or body different from:


Consent can be withdrawn at any time. Withdrawing of consent shall be as easy as it was giving it. The controller has to inform the data subject on the possibility to withdraw consent prior to the processing. For further information, see the commentary on [[Article 7 GDPR|Article 7(3) GDPR]].
*the data subject;
* controller;
* processors; or
* any other person authorized to process personal data by the controller.


'''Capacity'''
====Dynamic classification of third parties====
While an entity may be a third party may from the perspective a given controller, it may itself be a controller or processor for any processing operation it conducts itself. The notion of a 'third party' is therefore not absolute, but based on the circumstances of a certain processing operation.


Generally, consent must be given directly by the data subject or a nominated representative.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).</ref> In the case of minors, the ability to consent is based on the individual cognitive faculty of the data subject.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin number 67 (C.H. Beck 2020); ''Ernst'', Die Einwilligung nach der Datenschutzgrundverordnung, in Zeitschrift für Datenschutz, 03/07, (2017), p. 111.</ref> In the online context, [[Article 8 GDPR|Article 8(1) GDPR]] provides a minimum age of 16 while member states may not reduce that age limit to below 13.
====Typical cases====
Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).</ref> Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).</ref> Similarly, internal staff of the controller are not a third parties, unless the employee uses personal data for their own purposes outside of the employment context.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).</ref> In this case, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).</ref><blockquote><u>EDPB Guidelines:</u> On this provision there are the [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en Guidelines 07/2020 on the concepts of controller and processor in the GDPR]</blockquote>


'''Explicit Consent'''
===(11) Consent ===
Consent is one of the legal basis mentioned under Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data.


The more qualified form of ‘explicit’ consent is required within several other provisions across the GDPR. For more information check the commentary on [[Article 9 GDPR|Article 9(2)(a) GDPR]], [[Article 22 GDPR|Article 22(2)(c) GDPR]] and [[Article 49 GDPR|Article 49(1) GDPR]].
The requirements for consent require a joint reading of Articles 4(11), 6(1)(a), 7 and 8 GDPR.  


'''<u>Relevant Recitals</u>'''
*For the definition of 'consent', see the more commentary under [[Article 6 GDPR|Article 6(1)(a) GDPR]] and [[Article 7 GDPR]].
{{Recital/32 GDPR}}
*For the definition of 'explicit consent', see the commentary under [[Article 9 GDPR|Article 9(2)(a) GDPR]].
{{Recital/33 GDPR}}
<blockquote><u>EDPB Guidelines:</u> on this provision there are [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en EDPB Guidelines 05/2020 on consent under Regulation 2016/679]</blockquote>
{{Recital/42 GDPR}}
{{Recital/43 GDPR}}


===(12) Personal Data Breach ===
===(12) Personal data breach===
A ‘personal data breach’ can be considered as any security incident regarding personal data. In this regard, the breach has to concern the processing personal data (for ‘personal data’ see Article 4(1) GDPR, for ‘processing’ Article 4(2) GDPR). Although the transmission and storage of data are explicitly highlighted, any type of processing the concerned data is sufficient.<ref>Wording: “otherwise processed”.</ref>
The definition of 'personal data breach' is relevant for the notification duties under [[Article 33 GDPR|Articles 33]] and [[Article 34 GDPR|34]] GDPR.


Moreover, it requires a security breach within that processing. Such are any failures of technical or organizational safeguards implemented by the controller according to [[Article 32 GDPR]]. These failures can either be caused through targeted attacks from other parties or through mishandling of personal data through the controller or persons instructed, such as its employees.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).</ref> Some examples for security breaches are:
====Breach of security====
The definition of a data breach requires a security breach, such as a failure of technical or organisational safeguards implemented by the controller according to [[Article 32 GDPR]].  


*Hacking-attacks on systems involving personal data<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref>
====Accidental or unlawful====
*Missing access protection to data storages or buildings<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref>
These failures can either be caused by accident (e.g. through mishandling of personal data by the controller, employees and alike) or by unlawful acts (e.g. targeted attacks, hacking or a physical break in).<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).</ref>  
*Sending data to unintended recipients<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref>
*Employees unlawfully distributing data to third parties<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 180 (Nomos 2018).</ref>
*Accidentally publishing or leaking data on website<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref>
*Loss of physical data carriers<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref>
*Destruction of data storing infrastructure<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref>
*Unrestorable encryption through Ransomware<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref>
*Unlocked storage of employee files<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref>


====Destruction, loss, alteration, unauthorised disclosure, or access====
As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref>
As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref>


The notion of a personal data breach becomes especially relevant in terms of notification and communication obligations for controllers to data subjects and DPAs according to [[Article 33 GDPR|Articles 33, 34 GDPR]]. In this regard, the EDPB can issue further guidelines, recommendations and best practices for handling personal data breaches, [[Article 70 GDPR|Article 70(1)(g)(h) GDPR]].<ref>See EDPB, Guidelines 01/2021 on Examples regarding Data Breach Notification, 14 January 2021 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf here]).</ref>
Although the transmission and storage of data are explicitly highlighted, any type of processing the concerned data is sufficient.<ref>Wording: “otherwise processed”.</ref>
 
===(13) Genetic Data===
‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions on the growth, metabolism, appearance, diseases or alike, both already existent or entering in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin numbers 106, 108 (Carl Heymanns Verlag 2018).</ref> Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analyses.


The classification as genetic data is becoming relevant in terms of [[Article 9 GDPR|Article 9(1) GDPR]], that only allows its processing under strict requirements.<ref>Additionally, member states may maintain or introduce further conditions and limitations for the processing of genetic data, [[Article 9 GDPR|Article 9(4) GDPR]].</ref> This is due to the sensitive character of such data, that allows a unique identification of the data subject and at the same time reveals personal health data<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017).</ref> on them and biological relatives.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017); ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 182 (Nomos 2018).</ref> Especially in terms of heritage diseases, genetic data therefore carries a high risk of abuse in terms of employment and insurances.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 96 (C.H. Beck 2018).</ref>
====Typical cases====
Some examples for personal data breaches are:


'''<u>Relevant Recitals</u>'''
* Hacking-attacks on systems involving personal data;<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref>
{{Recital/34 GDPR}}
*Missing access protection to data storages or buildings;<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref>
*Sending data to unintended recipients;<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref>
*Employees unlawfully distributing data to third parties;<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 180 (Nomos 2018).</ref>
*Accidentally publishing or leaking data on website;<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref>
*Loss of physical data carriers;<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref>
*Destruction of data storing infrastructure;<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref>
*Unrestorable encryption through Ransomware;<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref>
*Unlocked storage of employee files,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref>accidental or unlawful.


=== (14) Biometric Data===
===(13) Genetic data===
‘Biometric data’ means data referring to the physical, physiological and behavioural characteristics of a natural person obtained from specific technical processing allowing for an unique identification. While this generally includes any means to analyse and measure the characteristics of humans<ref>Usually through the creation of referential patterns that are than compared with the data subject later for unique identification, see ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 183 (Nomos 2018).</ref> the technical processing and unique identification requirements place higher burdens.
‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions on growth, metabolism, appearance, disease or alike, both already existent or emerging in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin numbers 106, 108 (Carl Heymanns Verlag 2018).</ref> Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA), or ribonucleic acid (RNA) analyses.


The definition itself gives facial images and fingerprints<ref>Also called 'Dactyloscopic data'.</ref> as examples for biometric data. However, the requirement for specific technical processing, ensures that simple pictures or even passport photographs shall not be considered as such.<ref>Recital 51 GDPR, “''The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person''.</ref> It is the further processing through the application of facial recognition software, that qualifies the extracted information as biometric data. In this regard, also IRIS Scanners, DNS-Comparisons, voice or gait pattern analyses,<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> as well as typing patterns or even handwritten signatures<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 111 (Carl Heymanns Verlag 2018).</ref> may be considered as biometric data.
The classification of genetic data is becoming relevant in terms of [[Article 9 GDPR|Article 9(1) GDPR]], which only allows its processing under strict requirements.<ref>Additionally, member states may maintain or introduce further conditions and limitations for the processing of genetic data, [[Article 9 GDPR|Article 9(4) GDPR]].</ref> This is due to the sensitive character of such data, allowing a unique identification of the data subject and, at the same time, revealing personal health data<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017).</ref> on them and biological relatives.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017); ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 182 (Nomos 2018).</ref> Especially in terms of heritage diseases, genetic data carries a high risk of abuse in terms of employment and insurance.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 96 (C.H. Beck 2018).</ref>


Other data, that does not allow an unique identification, such as the body size or blood type, may not be considered biometric data.<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> However, these could then fall under the definition of ‘health data’ that offers similar protection like for biometric data, according to [[Article 9 GDPR|Article 9(1) GDPR]].
===(14) Biometric data===
‘Biometric data’ means data referring to the physical, physiological and behavioural characteristics of a natural person obtained from specific technical processing allowing for a unique identification. While this generally includes any means to analyse and measure the characteristics of humans,<ref>Usually through the creation of referential patterns that are than compared with the data subject later for unique identification, see ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 183 (Nomos 2018).</ref> the technical processing and unique identification requirements place higher burdens.


'''<u>Relevant Recitals</u>'''
The definition itself uses facial images and fingerprints<ref>Also called 'Dactyloscopic data'.</ref> as examples for biometric data. However, the requirement for specific technical processing ensures that simple pictures or even passport photographs shall not be considered as such.<ref>Recital 51 GDPR, “''The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person''”.</ref> Although, further processing through the application of facial recognition software would qualify the extracted information as biometric data. In this regard: IRIS Scanners; DNS-Comparisons; voice or gait pattern analyses;<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> as well as typing patterns or even handwritten signatures,<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 111 (Carl Heymanns Verlag 2018).</ref> may be considered as biometric data.
{{Recital/51 GDPR}}


===(15) Data Concerning Health===
Other data that does not allow an unique identification, such as body size or blood type, may not be considered biometric data.<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> However, these could then fall under the definition of ‘health data’ that offers similar protection to that afforded to biometric data, according to [[Article 9 GDPR|Article 9(1) GDPR]].
‘Data concerning health’, or simply ‘health data’, means any data related to the physical or mental health of a natural person, especially the procurement of health care services revealing such information. According to Recital 35 GDPR, these include all data referring to the health status of the data subject from the past, current or future. In this regard, any information on diseases, risks, disabilities, their treatment and medical histories of a particular natural person explicitly qualify as health data.<ref>Recital 35 sentence 2 GDPR.</ref>


Examples for health data are information about:
===(15) Data concerning health ===
‘Data concerning health’, or simply ‘health data’, means any data related to the physical or mental health of a natural person, especially the procurement of health care services revealing such information. According to Recital 35 GDPR, these include all data referring to the health status of the data subject from the past, present or future. In this regard, any information on diseases, risks and disabilities - in addition to medical treatment and history - of a particular natural person explicitly qualifies as health data.<ref>Recital 35 sentence 2 GDPR.</ref>


*Addictions to alcohol, drugs or medications as well as the participation in self-help groups<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref>
Examples for health data includes information about:
*Hospitalizations, sick notes and sick payments<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref>
*Information the physical or mental invalidity to work<ref>''Petri'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 15 GDPR, margin number 5 (NOMOS 2019).</ref>
*Data from health- or fitness apps on eating or movement patterns, for example from wearables and smartphones<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 118 (Carl Heymanns Verlag 2018).</ref>


The notion of health data is therefore broader than ‘medicinal data’.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 59 (Deutscher Fachverlag 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018).</ref> Furthermore, it strongly overlaps with the notions of genetic and biometric data.<ref>See Recital 35, “''Personal data concerning health should include […] information derived from the testing or examination of one’s body, substances, such as genetic and biological samples''”.</ref> in order to allow a seamless high protection within the scope of [[Article 9 GDPR]].<ref>However, in some cases (e.g. the public health sector) sensitive data can be necessary to be processed without the data subjects consent, see Recital 54 GDPR.</ref> For further information, check the commentary on [[Article 9 GDPR]].
*Addictions to alcohol, drugs or medications as well as the participation in self-help groups;<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref>
*Hospitalizations, sick notes and sick payments;<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref>
*Information the physical or mental invalidity to work;<ref>''Petri'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 15 GDPR, margin number 5 (NOMOS 2019).</ref>
*Data from health or fitness apps on eating or movement patterns, for example from wearables and smartphones.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 118 (Carl Heymanns Verlag 2018).</ref>


'''<u>Relevant Recitals</u>'''
The notion of health data is therefore broader than ‘medicinal data’.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 59 (Deutscher Fachverlag 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018).</ref> Furthermore, it strongly overlaps with the notions of genetic and biometric data,<ref>See Recital 35, “''Personal data concerning health should include […] information derived from the testing or examination of one’s body, substances, such as genetic and biological samples''”.</ref> in order to allow a seamless and high level of protection within the scope of [[Article 9 GDPR]].<ref>However, in some cases (e.g. the public health sector) sensitive data can be necessary to be processed without the data subjects consent, see Recital 54 GDPR.</ref> For further information, please check the commentary on [[Article 9 GDPR]].<blockquote><u>EDPB Guidelines:</u> on this provision there are [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032020-processing-data-concerning-health-purpose_en EDPB Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak]</blockquote>
{{Recital/35 GDPR}}
{{Recital/54 GDPR}}


===(16) Main Establishment===
===(16) Main establishment===
If a controller or a processor have establishments in more than one member states, identifying its ‘main establishment’ is the first step to recognize the lead supervisory authority in a cross-border procedure.
If a controller or a processor have establishments in more than one member state, identifying its 'main establishment' is the first step to recognising the lead supervisory authority in a cross-border procedure under [[Article 56 GDPR]].


It is the role of a data protection authorities to properly define the main establishment of an entity according to objective criteria and subsequently determine the corresponding lead authority.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> The burden of proof falls on controllers and processors to demonstrate to the relevant supervisory authorities where the relevant processing decisions are taken and implemented. In this regard, however, the Working Party 29 stressed that the GDPR does not permit ‘forum shopping’ and conclusions cannot be based solely on statements by the organisation under review: The supervisory authorities can rebut the controller’s analysis based on an objective examination of the relevant facts, requesting further information where required.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref>
====Objective criteria====
The main establishment of an entity must be determined according to objective criteria.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> As the main establishment determines the relevant supervisory authority, the Working Party 29 stressed that the GDPR does not permit 'forum shopping' and conclusions cannot be based solely on statements by the controller or processor. The controller or processor’s analysis can be overturned based on an objective examination of the relevant facts.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref>


'''Main Establishment of a Controller'''
====(a) Main establishment of a controller====


As a general rule, the main establishment of a controller should be the place of its central administration in the Union, or in other words, ''the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented''.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 5 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref>  
=====General rule: central administration=====
As a general rule, the main establishment of a controller should be the place of its central administration in the Union, or in other words, "''the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented''".<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 5 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref>  


Recital 22 GDPR defines an establishment as "''the effective and real exercise of activity through stable arrangements''". The legal form of such arrangements is irrelevant. According to the CJEU, an establishment depends on ''both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned.''<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 29 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref> In this regard, already the presence of a single representative can constitute a stable arrangement when acting with a sufficient degree of stability and the necessary equipment to provide the specific services in the member states concerned.<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 30 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref>
Recital 22 GDPR defines an establishment as "''the effective and real exercise of activity through stable arrangements''". The legal form of such arrangements is irrelevant. According to [[CJEU - C‑230/14 - Weltimmo|C-230/14 - ''Weltimmo'']], an establishment depends on "''both the degree of stability of the arrangements and the effective exercise of activities in that other Member State [which] must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned".''<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 29 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref> In this regard, merely the presence of a single representative can constitute a stable arrangement, when they are acting with a sufficient degree of stability and have the necessary equipment to provide the specific services in the member states concerned.<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 30 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref>


If a controller’s main establishment is not the place of its central administration in the EU, it is necessary to determine the establishment based on where the effective and real exercise of main decisions on the purposes and means of processing take place.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 6 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> It should depend neither on the place of the processing nor the use of technical means and technologies for processing personal data or processing activities. Instead, to determine the controller’s main establishment the Working Party 29 developed several guiding questions:<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref>
=====Exception: processing decisions in another establishment=====
If a controller’s main establishment is not the place of its central administration in the EU, the exception to the general rules kicks in. In this case it is necessary to determine the establishment based on where the effective and real exercise of main decisions on the purposes and means of processing take place.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 6 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> It should depend neither on the place of the processing nor the use of technical means and technologies for processing personal data or processing activities. Instead, to determine the controller’s main establishment the Working Party 29 developed several guiding questions:<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref>


* Where are decisions about the purposes and means of the finally signed off’?
*Where are decisions about the purposes and means of the finally signed off’?
*Where are decisions about business activities that involve data processing made?
* Where are decisions about business activities that involve data processing made?
*Where does the power to have decisions implemented effectively lie?
*Where does the power to have decisions implemented effectively lie?
*Where is the Director with responsibility for cross border processing located?
*Where is the Director with responsibility for cross border processing located?
* Where is the controller or processor registered as a company?
*Where is the controller or processor registered as a company?
 
A supervisory authority may require from a controller to present additional information proving that its main establishment fulfils criteria envisaged in the GDPR.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref>
 
'''Main Establishment of a Processor'''


Similarly to the rules for controllers, the main establishment of a processor located in multiple member states shall also be the place of its central administration.
====(b) Main establishment of a processor ====


However, when there is no central administration in the Union, the rules applying to processors are formulated differently. In such cases, the main establishment of a processor is where the main processing activities take place in a Union’s establishment subject to the obligations under GDPR. This implies that the processing of personal data does not need to be carried out by the relevant establishment itself but only in in the context of its activities within the scope of the GDPR.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 235 (Oxford University Press 2020).</ref> The meaning of ‘the context of activities’ has already been specified by the CJEU, building on a broad definition of ‘establishment’ and clarifying that already the intention of a member state’s establishment to provide advertisement space for a third country undertaking is processing of personal data in the context of the Union’s establishment.<ref>CJEU, C-131/12, Google Spain, 13 May 2014, margin number 55 (available [https://curia.europa.eu/juris/liste.jsf?num=c-131/12 here]).</ref>
=====Central administration=====
Similarly to the rules for controllers, the main establishment of a processor located in multiple member states shall also be the place of its central administration.


Following up on the CJEU judgement, the Working Party 29 specified that EU law may apply to data processing activities of controllers or processors established outside the EU “''even if the local establishment is not actually taking any role in the data processing itself''”.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref> This reasoning can be based on an “''inextricable link''” between activities of an establishment in the EU and data processing by a non-EU controller or processor.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref>
See above for details on determining the central administration.  


'''Cases Involving Both the Controller and the Processor'''
=====No central administration=====
However, when there is no central administration in the Union, the rules applying to processors are formulated differently. In such cases, the main establishment of a processor is where the main processing activities take place in a Union’s establishment subject to the obligations under GDPR. This implies that the processing of personal data does not need to be carried out by the relevant establishment itself, but only in in the context of its activities within the scope of the GDPR.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 235 (Oxford University Press 2020).</ref>


Recital 36 GDPR explains that “''in cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment''. For further information determining the lead and concerned supervisory authorities in cross border contexts involving both the controller and the processor see the commentary on [[Article 56 GDPR]] and Article 4(22)-(23) GDPR.
The meaning of 'the context of activities' has already been specified in [[CJEU - C‑131/12 - Google Spain|C-131/12 - ''Google Spain'']]. The CJEU build on a broad definition of 'establishment' and clarified that merely the intention of a member state’s establishment to provide advertisement space for a third country undertaking constitutes processing of personal data in the context of the Union’s establishment.<ref>CJEU, C-131/12, Google Spain, 13 May 2014, margin number 55 (available [https://curia.europa.eu/juris/liste.jsf?num=c-131/12 here]).</ref>


'''<u>Relevant Recitals</u>'''
Following up on the CJEU judgement, the Working Party 29 specified that EU law may apply to data processing activities of controllers or processors established outside the EU "''even if the local establishment is not actually taking any role in the data processing itself''".<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref> This reasoning can be based on an "''inextricable link''" between activities of an establishment in the EU and data processing by a non-EU controller or processor.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref>
{{Recital/22 GDPR}}
{{Recital/36 GDPR}}


===(17) Representative===
====Cases involving both the controller and the processor====
Representative are any legal or natural persons established in the union designated by a controller or processor, in accordance with [[Article 27 GDPR]]. They are not to be confused with the executive organ of the controller, but they serve as contact persons for data subjects and DPAs towards controllers and processors that are only located outside the Union.
Recital 36 GDPR explains that "''in cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment''". This is not reflected in the text of the relevant Articles.


In this regard, the notion of a representative becomes relevant in terms of actors that are falling within the territorial scope of the GDPR without having any establishment within the union (see [[Article 3 GDPR|Article 3(2) GDPR]] and Recital 80 GDPR).<ref>According to which the GDPR applies to controllers outside the union processing personal data on subjects within the union ''“related to the offering of goods or services“'' or ''“the monitoring of their behaviour”''.</ref> In such cases, the representative becomes the addressee of enforcement proceedings in the event of non-compliance of the respective controller or processor.<ref>Recital 80 sentence 6 GDPR.</ref> This way, the representative prevents such actors only established in a third country to become “infeasible” for data subjects and DPA’s within the union. Examples for representatives may therefore be designated employees, lawyers or whole firms established within the union.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 106 (C.H. Beck 2018).</ref>
For details see the commentary on [[Article 56 GDPR]].


The designation shall happen in a written form, containing the a mandate to represent the controller or processor under the obligations from the GDPR.<ref>Recital 80 sentences 3, 4 GDPR.</ref> At the same time. the designation of a representative does not exclude the responsibility or liability of the controller or processor themselves.<ref>Recital 80 sentence 5 GDPR.</ref> However, it remains unclear how entities not providing a representative may be tackled by the GDPR.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 204 (Nomos 2018).</ref> This goes especially for public authorities that are excluded from the designation of a representative.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 52 (C.H. Beck 2017).</ref>
===(17) Representative ===
Where a controller or a processor not established in the Union falls under the territorial scope of [[Article 3 GDPR|Article 3(2) GDPR]] due to processing activities related to data subjects in the Union, it must, in accordance with [[Article 27 GDPR]], appoint a representative in the EU. Representatives are any legal or natural persons established in the union, designated by a controller or processor.


'''<u>Relevant Recitals</u>'''
For more details and exceptions to the obligation to designate a representative see the commentary on [[Article 27 GDPR]].
{{Recital/80 GDPR}}


===(18) Enterprise===
===(18) Enterprise===
An enterprise’ means any natural or legal person, partnerships or associations regularly engaged in economic activities. With this definition, the GDPR introduced a broad concept of the enterprise, irrespective of their size, legal form or interests pursued.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 127 (Carl Heymanns Verlag 2018).</ref>
An 'enterprise’ means any natural or legal person, partnerships or associations regularly engaged in economic activities. With this definition, the GDPR introduced a broad concept of an enterprise, irrespective of their size, legal form or interests pursued.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 127 (Carl Heymanns Verlag 2018).</ref> An enterprise requires a regular engagement in economic activities, which means activities intended to be carried out over a a long-term and not only in an occasional manner.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 129 (Carl Heymanns Verlag 2018).</ref> Being a 'small [or] medium enterprise' is a precondition for the waiver of the duties under of [[Article 30 GDPR|Articles 30(5) GDPR]].
 
An enterprise requires a regular engagement in economic activities, which means activities intended for a long-term and not only in an occasional manner.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 129 (Carl Heymanns Verlag 2018).</ref> Excluded from such activities are completely familiarly or personal activities as part of the household exception, see the commentary on [[Article 2 GDPR|Article 2(c) GDPR]].
 
While the English version of the GDPR distinguishes between the ‘enterprise’ and ‘undertaking’ the translation to other languages merged both into a single notion.<ref>For example, in German ("Unternehmen"), in French ("entreprise") and in Spanish ("empresa").</ref> This can cause controversy around the assessment of fines according to [[Article 83 GDPR]], which by English language refers to the term of undertaking in accordance with [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:12012E/TXT&from=EN#page=42 Articles 101, 102 TFEU] and thereby not to the definition of Article 4(18) GDPR.<ref>See Recital 150 sentence 3 GDPR.</ref> In any case, however, the notion is to be understood broadly when enforcing actions or determining fines on a particular entity, see the commentary on [[Article 83 GDPR]].
 
'''<u>Relevant Recitals</u>'''
{{Recital/13 GDPR}}


===(19) Group of Undertakings ===
While the English version of the GDPR distinguishes between the ‘enterprise’ and ‘undertaking’ other language versions merged both into a single notion (like 'Unternehmen' in German or 'entreprise' in French).<ref>For example, in German ("Unternehmen"), in French ("entreprise") and in Spanish ("empresa").</ref> This caused confusion around the assessment of fines according to [[Article 83 GDPR]], which by English language refers to the term of undertaking in accordance with [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:12012E/TXT&from=EN#page=42 Articles 101, 102 TFEU] and thereby not to the definition of Article 4(18) GDPR.<ref>See Recital 150 sentence 3 GDPR.</ref> The broader definition of an 'undertaking', which includes parent companies and all subsidiaries, leads to higher fines for such structures, when the fine is calculated based on the global turnover.
A group of undertakings consists of a leading (“controlling”) entity and one or more thereof dependent (“controlled”) entities.<ref>Recital 37 sentence 1 GDPR.</ref> The central characteristic for a group of undertakings is therefore, that one entity exerts a dominant influence over the others, for example through ownership or financial participation.<ref>Recital 37 sentence 1 GDPR.</ref> This is usually the case between a holding company and their subsidiaries.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 58 (C.H. Beck 2017).</ref>


In this regard, the mere possibility of exercising control over the the other entity is sufficient, a real exercise of such control is not necessary.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 76 (ottoschmidt 2018).</ref> As long as one entity has the factual power to assert its will over the other entities,<ref>For example through to have personal data protection rules implemented; see Recital 37 sentence 1 GDPR.</ref> they qualify as group of undertakings.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 78 (ottoschmidt 2018).</ref>
===(19) Group of undertakings===
A group of undertakings consists of a leading ('controlling') entity and one or more thereof dependent ('controlled') entities.<ref>Recital 37 sentence 1 GDPR.</ref> The central characteristic for a group of undertakings is therefore, that one entity exerts a dominant influence over the others, for example through ownership or financial participation.<ref>Recital 37 sentence 1 GDPR.</ref> This is usually the case between a holding company and their subsidiaries.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 58 (C.H. Beck 2017).</ref> In this regard, the mere possibility of exercising control over the the other entity is sufficient, a real exercise of such control is not necessary.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 76 (ottoschmidt 2018).</ref> As long as one entity has the factual power to assert its will over the other entities,<ref>For example through to have personal data protection rules implemented; see Recital 37 sentence 1 GDPR.</ref> they qualify as group of undertakings.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 78 (ottoschmidt 2018).</ref>


Already two undertakings are sufficient to form a group.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 80 (ottoschmidt 2018).</ref> However, a controller giving mere instructions to a processor regarding the processing of personal data does not qualify as a group of undertakings.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 221 (Nomos 2018).</ref>
Two undertakings are sufficient to form a group.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 80 (ottoschmidt 2018).</ref> However, a controller giving mere instructions to a processor regarding the processing of personal data does not qualify as a group of undertakings.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 221 (Nomos 2018).</ref>


The classification as a group of undertakings becomes relevant for several provision across the GDPR, such as  
The classification as a group of undertakings becomes relevant for several provision across the GDPR, such as  


* The joint designation of a Data Protection Officer ([[Article 37 GDPR|Article 37(2) GDPR]]),
*The joint designation of a Data Protection Officer ([[Article 37 GDPR|Article 37(2) GDPR]]);
* The formulation of binding corporate rules (Article 4(20) GDPR, [[Article 47 GDPR]]),
*The formulation of binding corporate rules (Article 4(20) GDPR, [[Article 47 GDPR]]);
* The data transfer for internal administrative purposes ([[Article 6 GDPR|Article 6(1)(f) GDPR]]) with Recital 48 GDPR)<ref>''Pötters/Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 70 (Deutscher Fachverlag 2018), as “''group privilege light''”.</ref>
*The data transfer for internal administrative purposes ([[Article 6 GDPR|Article 6(1)(f) GDPR]]) with Recital 48 GDPR);<ref>''Pötters/Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 70 (Deutscher Fachverlag 2018), as “''group privilege light''”.</ref>
* The determination of the main establishment (Article 4(16) GDPR, Recital 22 GDPR).
*The determination of the main establishment (Article 4(16) GDPR, Recital 22 GDPR).
 
However, the notion is to be distinguished from a ‘group of enterprises engaged in a joint economic activity’ also used throughout several provisions across the GDPR. These consist of separate and independent entities, which do not exercise control over each other<ref>''Feiler, Forgó,'' EU-DSGVO, Article 4 GDPR, margin number 49 (Verlag Österreich 2017).</ref> and therefore cannot designate a single Data Protection Officer or rely on internal administrative data transfers.
 
'''<u>Relevant Recitals</u>'''
{{Recital/37 GDPR}}
{{Recital/48 GDPR}}
 
===(20) Binding Corporate Rules ===
Binding corporate rules (short ‘BCR’) are ‘personal data protection policies’ formulated by controllers or processors established on the union for transfers of personal data outside the union within their group. In this regard, binding corporate rules constitute a legal basis to transfer personal data to third countries without an adequacy decision.<ref>See [[Article 46 GDPR|Article 46(2)(b) GDPR]].</ref> However, they only serve for for intra-corporate transfers, i.e. between entities of the concerned group of undertakings or enterprises. Transfers to entities outside of these groups are not covered by binding corporate rules.


Furthermore, there are additional requirements regarding the content of such rules. According to Recital 110 GDPR, BCR must include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data. The rules are therefore to be previously approved by the national DPA concerned.<ref>[[Article 47 GDPR|Article 47(1) GDPR]].</ref> Furthermore, the Commission may specify the format and procedures for the exchange of information for these rules.<ref>[[Article 47 GDPR|Article 47(3) GDPR]].</ref> For more information on the requirements and the approval procedure of binding corporate rules, see the commentary on [[Article 47 GDPR]].
However, the notion is to be distinguished from a "''group of enterprises engaged in a joint economic activity''" who can jointly use binding corporate rules under [[Article 47 GDPR]]. These consist of separate and independent entities, which do not exercise control over each other,<ref>''Feiler, Forgó,'' EU-DSGVO, Article 4 GDPR, margin number 49 (Verlag Österreich 2017).</ref> and therefore cannot designate a single Data Protection Officer or rely on internal administrative data transfers.


'''<u>Relevant Recitals</u>'''
===(20) Binding corporate rules===
{{Recital/110 GDPR}}
Binding corporate rules (short ‘''BCR''’) are data protection policies formulated by controllers or processors established in the Union for transfers of personal data to entities within their group that are established outside the Union. In this regard, binding corporate rules constitute a legal basis to transfer personal data to third countries without an adequacy decision.<ref>See [[Article 46 GDPR|Article 46(2)(b) GDPR]].</ref> However, they only apply to intra-corporate transfers, i.e. between entities of the concerned group of undertakings or enterprises. Transfers to entities outside of these groups are not covered by binding corporate rules.


===(21) Supervisory Authority===
For more information on the requirements and the approval procedure of binding corporate rules, see the commentary on [[Article 47 GDPR]].
Supervisory Authorities or ‘Data Protection Authorities’ (DPAs) are independent public authorities responsible for monitoring the application of the GDPR. The idea is, that such authorities protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union.<ref>See Article 51(1) GDPR, Recital 117 sentence 1 GDPR and [https://www.europarl.europa.eu/charter/pdf/text_en.pdf#page=10 Article 8(3) ECFR] “''Compliance with these rules shall be subject to control by an independent authority''”.</ref>


Member states can decide to provide only one or multiple DPAs, to reflect their constitutional, organisational and administrative structure.<ref>Recital 117 GDPR.</ref> In this regard, DPAs must be public authorities<ref>Private actors cannot serve as DPAs, see ''Polenz'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 21 GDPR, margin number 1 (NOMOS 2019).</ref> established on the national level.<ref>The European Data Protection Supervisor (EDPS) is therefore not a DPA in terms of the GDPR, see [https://gdprhub.eu/Article%2051%20GDPR Article 51(1) GDPR] and [https://gdprhub.eu/Article%2068%20GDPR Article 68(3) GDPR] “''The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor''”. It is adhering to its own [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018R1725&from=en Regulation (EU) 2018/1725], functionally overseeing and advising the European Institutions for their compliance with data protection rules.</ref> And while each supervisory authority should be competent on the territory of its own member state,<ref>Recital 112 sentence 1 GDPR.</ref> they shall cooperate, mutually assisting each other and conduct joint operations with to foster a consistent application of the GDPR in cross border contexts (see [[Article 60 GDPR|Articles 60-63 GDPR]] and Recital 123 GDPR).
===(21) Supervisory authority===
 
Supervisory Authorities ('SAs') or, colloquially, 'Data Protection Authorities' ('DPAs') are the independent public authorities responsible for monitoring the application of the GDPR under [[Article 51 GDPR]]. Member States can decide to provide only one or multiple supervisory authorities, to reflect their constitutional, organisational and administrative structure.<ref>Recital 117 GDPR.</ref> <blockquote>{{Quote-example|Austria, France and Ireland have a single supervisory authority for enforcing the GDPR. While the Irish and French supervisory authorities are also in charge of enforcing the ePrivacy Directive 2002/58/EC (Austria gave this power to the Telecoms Regulator). Germany has a federal supervisory authority and at least one authority for each of the sixteen German states. Some states have more than one authority, for different types of controllers.}}</blockquote>Supervisory authorities act independently (see [[Article 52 GDPR]]) and shall be provided with various competencies ([[Article 55 GDPR|Articles 55, 56 GDPR]]), tasks ([[Article 57 GDPR]]) and powers ([[Article 58 GDPR]]). For further information, see the particular commentary on the named articles.
In this regard, DPAs may act independent (see [[Article 52 GDPR]]) and shall be provided with several competencies ([[Article 55 GDPR|Articles 55, 56 GDPR]]), Tasks ([[Article 57 GDPR]]) and Powers ([[Article 58 GDPR]]). For further information, see the particular commentary on these articles.
 
'''<u>Relevant Recitals</u>'''
{{Recital/117 GDPR}}
{{Recital/122 GDPR}}
{{Recital/123 GDPR}}


===(22) Supervisory authority concerned===
===(22) Supervisory authority concerned===
Qualifying a supervisory authority as ‘concerned’ can result out of three situations as laid out by Article 4(22) GDPR:
Only 'supervisory authorities concerned' have certain roles in the cooperation procedure under [[Article 60 GDPR|Articles 60]] to [[Article 66 GDPR|66]] GDPR. Other supervisory authorities may not participate in the relevant procedures. Qualifying a supervisory authority as ‘concerned’ can result out of three situations as laid out by Article 4(22) GDPR:  


*For a controller or processor, when it is established in a member state of a supervisory authority,
*For a controller or processor, when it is established in a member state of a supervisory authority,
*for a data subject, when it is residing in the member state of a supervisory authority (likely) substantially affected by the processing of personal data, or
*for a data subject, when it is residing in the member state of a supervisory authority (likely) substantially affected by the processing of personal data, or
*where a complaint has been lodged with that supervisory authority.
*where a complaint has been lodged with that supervisory authority.
'''Controller or Processor Establishment'''


==== Controller or processor establishment====
The DPA is concerned when a controller or processor is established in its jurisdiction. This implies any effective and real exercise of activity through stable arrangements,<ref>See Recital 22 sentence 2 GDPR.</ref> independent of the form of such arrangements of an actual branch or subsidiary within the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 275 (Oxford University Press 2020).</ref> This broad understanding is fostered by the EUCJ, including any real and effective activity exercised through stable agreements independently of their formalistic approach as an establishment.<ref>EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.</ref>
The DPA is concerned when a controller or processor is established in its jurisdiction. This implies any effective and real exercise of activity through stable arrangements,<ref>See Recital 22 sentence 2 GDPR.</ref> independent of the form of such arrangements of an actual branch or subsidiary within the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 275 (Oxford University Press 2020).</ref> This broad understanding is fostered by the EUCJ, including any real and effective activity exercised through stable agreements independently of their formalistic approach as an establishment.<ref>EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.</ref>


'''(Likely) Substantially Affection of the Data Subject'''
==== (Likely) Substantial affection of the data subject====
 
A substantial affection, although not being further specified from the GDPR, indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 276 (Oxford University Press 2020).</ref> On the contrary, merely the likelihood of such an impact is sufficient, and an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.<ref>For a list of relevant criteria, see ''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).</ref> In any case, this requires the data subject to reside in the member state of the DPA and therefore to have at least stable links to the state as its permanent habitual centre.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).</ref>
A substantial affection, although not being further specified from the GDPR, indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 276 (Oxford University Press 2020).</ref> On the contrary, already the likelihood of such is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.<ref>For a list of relevant criteria, see ''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).</ref> In any case, this requires the data subject to reside in the member state of the DPA and therefore to have at least stable links to the state as its permanent habitual center.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).</ref>
 
'''Filing a Complaint with the Supervisory Authority'''
 
Filing a complaint with a particular supervisory authority makes them ‘concerned’ authority. Since complaints can also be filed with DPAs different from where the data subject resides,<ref>See Recital 124 sentence 3 GDPR.</ref> the supervisory authority can possibly be concerned without the data subject having a residence within the EU or any (likely) substantial affection. For further information on filing a complaint with a supervisory authority, see the commentary on [[Article 77 GDPR]].
 
'''<u>Relevant Recitals</u>'''
{{Recital/124 GDPR}}
 
===(23) Cross-Border Processing===
Cross border processing means any processing taking place (i) in the in the context of the activities of establishments of a controller or processor in multiple member states, or (ii) in the context of a single establishment of a controller or processor in the union with (likely) substantially affects to data subjects in more than one member state.
 
Both conditions are therefore attached to the notion of ‘establishment’, whereas (i) requires the controller or processor to have multiple establishments within different member states of the union, while (ii) only requires the controller or processor to have an establishment within a single member state of the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 282 (Oxford University Press 2020).</ref> In both cases, however, the controller or processor needs to be established in at least one member state.<ref>''Polenz'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 23 GDPR, margin number 1 (NOMOS 2019).</ref>
 
'''Processing in the Context of Establishments within Multiple Member States'''
 
The notion of establishment is again to be interpreted broadly. It is any effective and real exercise of activities through stable arrangements,<ref>See Recital 22 sentence 2 GDPR.</ref> independent of the formal declarations as a branch or subsidiary within the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 282 (Oxford University Press 2020); and again EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.</ref> Furthermore, the processing is not required to be carried out within the establishment itself, but can also happen in the context of its activities. If the establishment in the EU is not directly processing the personal data, an extricable link between the activities of the establishment and the processing is already sufficient.<ref>Google, EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 53, 56; EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 25.</ref> Only remote links to the processing in question may not involve another entity and therefore not form a ‘cross border processing’.<ref>For example, some commercial activity may be too far removed from the processing of personal data by an entity to bring the data processing non-EU entity within the scope of EU data protection law, see ''EDPB'', Guidelines 3/2018 on the territorial scope of the GDPR, 12 November 2019, p. 7 f. (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref>
 
'''Processing (likely) to Substantially Affect Data Subject in Multiple Member States'''
 
A substantial affection, again indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 284 (Oxford University Press 2020).</ref> In this regard, already the likelihood of such is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.<ref>For a list of relevant criteria, see ''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 285 (Oxford University Press 2020).</ref>
 
The evaluation of across border processing is relevant for determining the competent lead supervisory authority in situations where the processing would concern such of multiple member states. In this regard, it contributes to the ‘one-stop-shop’-principle, which is further described within the commentary of [[Article 56 GDPR]].
 
'''<u>Relevant Recitals</u>'''
{{Recital/22 GDPR}}
{{Recital/124 GDPR}}
 
=== (24) Relevant and Reasoned Objection===
The ‘relevant and reasoned objection’ refers to situations, in which a supervisory authority concerned<ref>See Article 4(22) GDPR.</ref> objects to a decision draft provided by a lead supervisory authority<ref>See [[Article 56 GDPR]].</ref> in terms of a cross-border-processing context.<ref>See Article 4(23) GDPR.</ref> When such objection is exercised by the supervisory authorities concerned, the lead supervisory authority can either follow the objection or submit the matter to the EDPB (see [[Article 60 GDPR|Article 60(4) GDPR]], [[Article 65 GDPR|Article 65(4) GDPR]]).
 
In order to not overload the EDPB with insufficiently grounded submissions causing delays for decisions,<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 289 f. (Oxford University Press 2020).</ref> Article 4(24) GDPR introduces a threshold to such objections being ‘relevant’ and ‘reasoned’. In this regard, they have to show an infringement or compliance of the GDPR in opposition to the lead authorities decision draft clearly demonstrating the significance of the risks posed by the draft decision.<ref>Especially regarding the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union, see Article 4(24) GDPR.</ref>


An objection is therefore only relevant and reasoned, when it refers to the concrete draft of a decision and does not only contain concerns of general nature.<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 4 24 GDPR, margin number 1 (C.H. Beck 2020).</ref> This requires to provide the exact legal reasons for the objection,<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 4 24 GDPR, margin number 1 (C.H. Beck 2020).</ref> clearly stating the the non-negligible risks for the data subjects or the free flow of personal data entailed.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 290 (Oxford University Press 2020).</ref>
====Filing a complaint with the supervisory authority====
Filing a complaint with a particular supervisory authority makes them a ‘concerned’ authority. Since complaints can also be filed with DPAs different from where the data subject resides,<ref>See Recital 124 sentence 3 GDPR.</ref> the supervisory authority can possibly be 'concerned' without the data subject having a residence within the EU or any (likely) substantial affection. For further information on filing a complaint with a supervisory authority, see the commentary on [[Article 77 GDPR]].


The notion of relevant and reasoned objection is to be further developed by the EDPB.<ref>See Recital 124 Sentence 4 GDPR and EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-092020-relevant-and-reasoned-objection-under_en here]).</ref> For further information on the EDPB’s criteria and procedure on elaborating a relevant and reasoned objection, check the commentary on [[Article 60 GDPR|Articles 60, 65 GDPR]].
===(23) Cross-border processing===
The definition of 'cross-border processing' is not intuitive, as not every form of cross-border processing is 'cross-border' under the GDPR. The limited definition in turn limits the application of the ‘one-stop-shop’ system, which is further described within the commentary of [[Article 56 GDPR]].


'''<u>Relevant Recitals</u>'''
====(a) Processing in the context of establishments within multiple Member States====
{{Recital/124 GDPR}}
The notion of establishment is again to be interpreted broadly. It is any effective and real exercise of activities through stable arrangements,<ref>See Recital 22 sentence 2 GDPR.</ref> independent of the formal declarations as a branch or subsidiary within the Union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 282 (Oxford University Press 2020); and again EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.</ref> Furthermore, the processing is not required to be carried out within the establishment itself, but can also happen in the context of its activities. If the establishment in the EU is not directly processing the personal data, an extricable link between the activities of the establishment and the processing is already sufficient.<ref>Google, EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 53, 56; EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 25.</ref> Only remote links to the processing in question may not involve another entity and therefore not form a ‘cross border processing’.<ref>For example, some commercial activity may be too far removed from the processing of personal data by an entity to bring the data processing non-EU entity within the scope of EU data protection law, see ''EDPB'', Guidelines 3/2018 on the territorial scope of the GDPR, 12 November 2019, p. 7 f. (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf here]).</ref>


===(25) Information Society Service===
====(b) Processing (likely) to substantially affect data subject in multiple Member States====
For the definition on ‘information society service’ the GDPR refers to Article 1(1)(b) of [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN#page=3 Directive (EU) 2015/1535], on a procedure for the provision of information in the field of technical regulations and of rules on Information Society services. Hereafter, such services are any “normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient”.<ref>Article 1(1)(b) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref>
A substantial affection, again indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 284 (Oxford University Press 2020).</ref> In this regard, the mere likelihood of such an impact is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case by case basis.<ref>For a list of relevant criteria, see ''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 285 (Oxford University Press 2020).</ref>


‘At a distance’ means that the service is provided without the parties being simultaneously present.<ref>Article 1(1)(b)(i) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> Thus, even when using electronic means, services provided within the physical presence of the recipient to the provider are not falling within this definition.<ref>For example, surgeries making use of electronic equipment, electronic catalogues or ticket reservations within a shop, electronic video arcade games, see Annex I(1.) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref>
===(24) Relevant and reasoned objection===
A ‘relevant and reasoned objection’ is an objection by a supervisory authority concerned<ref>See Article 4(22) GDPR.</ref> to a draft decision provided by a lead supervisory authority.<ref>See [[Article 56 GDPR]].</ref> When such an objection is submitted by the supervisory authorities concerned, the lead supervisory authority can either follow the objection (see [[Article 60 GDPR|Article 60(4) GDPR]]) or submit the matter to the EDPB (see [[Article 65 GDPR|Article 65(4) GDPR]]).


‘By electronic means’ requires, that the service is entirely sent and received via electronic equipment for the processing and storage of data, for example through being transmitted by wire, radio, optical or other electromagnetic means.<ref>Article 1(1)(b)(ii) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> And while offline services are excluded from these services,<ref>See also see Annex I(2.) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> composite services such as the selling of goods, advertising and gaming do qualify as such.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 298 (Oxford University Press 2020); and WP29, Guidelines on consent under Regulation 2016/679, WP259 rev.01, 10 April 2018, p. 24 (available [https://ec.europa.eu/newsroom/article29/redirection/document/51030 here]).</ref>
In order to limit objections by other supervisory authorities,<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 289 f. (Oxford University Press 2020).</ref> Article 4(24) GDPR introduces a threshold to such objections being ‘relevant’ and ‘reasoned’. They must also 'clearly demonstrate' the 'significant risks' posed by the draft decision,<ref>Especially regarding the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union, see Article 4(24) GDPR.</ref> either for the fundamental rights and freedoms of data subjects or the free flow of personal data within the Union. As a consequence, it is not enough for a concerned supervisory authority to just raise a concern that a draft decision by the lead supervisory authority is unlawful.


An ‘individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.<ref>Article 1(1)(b)(iii) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> Services transmitting data to an unlimited number of individuals without their individual demand, such as radio broadcasting, television, teletext, are therefore not covered.<ref>See Annex I(3.) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> On the contrary, video-on-demand or pay-per-view services do qualify as information society services.<ref>EUCJ, C-89/04, Mediakabel, 2 June 2005, margin numbers 38-39 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-89/04 here]).</ref>
For details see the commentary on [[Article 60 GDPR|Articles 60]] and [[Article 65 GDPR|65]] GDPR.


Accordingly, most online services encountered nowadays fulfil the criteria of an information society service. Typical example are:<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 301 (Oxford University Press 2020).</ref>
=== (25) Information society service ===
For the definition on ‘''information society service''’ the GDPR refers to Article 1(1)(b) of [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN#page=3 Directive (EU) 2015/1535]. The classification as information society service becomes relevant in several contexts of the GDPR, such as children’s consent (see [[Article 8 GDPR|Article 8(1) GDPR]]) or the right to object (see [[Article 21 GDPR|Article 21(5) GDPR]]).  


* Online legal or health services
====At a distance====
*Online libraries or newspapers
‘At a distance’ means that the service is provided without the parties being simultaneously present.<ref>Article 1(1)(b)(i) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> Thus, even when using electronic means, services provided within the physical presence of the recipient to the provider do not fall within this definition.<ref>For example, surgeries making use of electronic equipment, electronic catalogues or ticket reservations within a shop, electronic video arcade games, see Annex I(1.) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref>
*Online shopping and booking services
*Online media-platforms or video games
*Online search engines and web browsers


The classification as information society service becomes relevant in several contexts of the GDPR, such as its material scope (see [[Article 2 GDPR|Article 2(4) GDPR]]),<ref>Especially in terms of liability rules coming from Articles 12 to 15 of the [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32000L0031&from=EN#page=12 eCommerce-Directive 2000/31/EC]; see also Recital 21 GDPR.</ref> children’s consent (see [[Article 8 GDPR|Article 8(1) GDPR]]), the right to erasure (see [[Article 17 GDPR|Article 17(1)(f) GDPR]]) or the right to object (see [[Article 21 GDPR|Article 21(5) GDPR]]). For further information in this context, see the commentary in the relevant provisions.
====Electronic means====
‘By electronic means’ requires that the service is entirely sent and received via electronic equipment for the processing and storage of data, for example, through being transmitted by wire, radio, optical or other electromagnetic means.<ref>Article 1(1)(b)(ii) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> While offline services are excluded from this definition,<ref>See also see Annex I(2.) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> composite services such as the selling of goods, advertising and gaming do qualify as such.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 298 (Oxford University Press 2020); and WP29, Guidelines on consent under Regulation 2016/679, WP259 rev.01, 10 April 2018, p. 24 (available [https://ec.europa.eu/newsroom/article29/redirection/document/51030 here]).</ref>


'''<u>Relevant Recitals</u>'''
====Individual request====
{{Recital/21 GDPR}}
An ‘individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.<ref>Article 1(1)(b)(iii) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> Services transmitting data to an unlimited number of individuals without their individual demand, such as radio broadcasting, television, and teletext are therefore not covered.<ref>See Annex I(3.) [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN Directive (EU) 2015/1535].</ref> On the contrary, video-on-demand or pay-per-view services do qualify as information society services.<ref>EUCJ, C-89/04, Mediakabel, 2 June 2005, margin numbers 38-39 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-89/04 here]).</ref>


===(26) International Organisation===
====Typical cases====
An ‘international organisation’ means any organisation or subordinate bodies of such, which are governed either by public international law or set up by an agreement between two or more countries.
Accordingly, most online services encountered nowadays fulfill the criteria of an information society service. Typical example are:<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 301 (Oxford University Press 2020).</ref>


While there is no universally accepted or further specified definition of the term coming from the GDPR, the overall definition from the Vienna Convention on the Law of Treaties from 1969<ref>Available [https://legal.un.org/ilc/texts/instruments/english/conventions/1_1_1969.pdf here].</ref> serves as a source of inspiration for interpreting EU law according to the CJEU.<ref>CJEU, C-386/08, Brita, 25 February 2010, margin number 42 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=72406&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=2557504 here]); see also ''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 305 (Oxford University Press 2020).</ref> However, Article 2(1)(i) of the [https://legal.un.org/ilc/texts/instruments/english/conventions/1_1_1969.pdf Convention] defines international organisation as ‘intergovernmental organization’, thereby failing to deliver a more specific definition. Moreover, since both options to reach an international organization, either through public international law or multilateral agreements, are not further delineated by the GDPR, a broad and flexible approach to the term is suggested.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 305 (Oxford University Press 2020).</ref>
*Online legal or health services;
*Online libraries or newspapers;
*Online shopping and booking services;
*Online media-platforms or video games;
*Online search engines and web browsers.


In this regard, most organizations, such as the United Nations (UN), the International Telecommunications Union (ITU), the World Trade Organization (WTO as well as Inter- and Europol shall fall under the term.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p.306 (Oxford University Press 2020).</ref> However, these examples are not exhaustive and can be infinitely extended to other Internationals Organizations. Only NGO’s, which are usually non-governmental organisations established as private initiatives and governed by domestic member state law, may not qualify as such.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 307 (Oxford University Press 2020).</ref>
===(26) International organisation===
An ‘international organisation’ means any organisation or subordinate bodies of such, which are governed either by public international law or set up by an agreement between two or more countries. The classification as international organisation is relevant in terms of the additional rules placed on data transfers, according to [[Article 44 GDPR|Articles 44-50 GDPR]]. While the Data Protection Directive only regulated data flows to third party countries, the GDPR now extends the applicability of these rules to international organisations as as well.<ref>See ''Schröder'', in Kühling, Buchner, DS-GVO BDSG, Article 4 26 GDPR, margin number 2 (C.H. Beck 2020).</ref> For more information on the principles and additional safeguards placed on such transfers, please see the commentary on [[Article 45 GDPR|Articles 45-49 GDPR]].


The classification as international organization is relevant in terms of the additional rules placed on data transfers, according to [[Article 44 GDPR|Articles 44-50 GDPR]]. While the Data Protection Directive only regulated data flows to third party countries, the GDPR now extends the applicability of these rules to international organizations as as well.<ref>See ''Schröder'', in Kühling, Buchner, DS-GVO BDSG, Article 4 26 GDPR, margin number 2 (C.H. Beck 2020).</ref> For more information on the principles and additional safeguards placed on such transfers see the commentary on [[Article 45 GDPR|Articles 45-49 GDPR]].
While there is no universally accepted or further specified definition of the term coming from the GDPR, the overall definition from the Vienna Convention on the Law of Treaties from 1969,<ref>Available [https://legal.un.org/ilc/texts/instruments/english/conventions/1_1_1969.pdf here].</ref> serves as a source of inspiration for interpreting EU law according to the CJEU.<ref>CJEU, C-386/08, Brita, 25 February 2010, margin number 42 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=72406&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=2557504 here]); see also ''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 305 (Oxford University Press 2020).</ref> However, Article 2(1)(i) of the [https://legal.un.org/ilc/texts/instruments/english/conventions/1_1_1969.pdf Convention] defines international organisation as ‘intergovernmental organisation’, thereby failing to deliver a more specific definition. Moreover, since both options to reach an international organization, either through public international law or multilateral agreements, are not further delineated by the GDPR, a broad and flexible approach to the term is suggested.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 305 (Oxford University Press 2020).</ref>


===Further Definitions===
In this regard, most organizations, such as the United Nations (UN), the International Telecommunications Union (ITU), the World Trade Organization (WTO) as well as Interpol and Europol shall fall under the term.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p.306 (Oxford University Press 2020).</ref> However, these examples are not exhaustive and can be infinitely extended to other Internationals Organizations. Only NGOs, which are usually non-governmental organisations established as private initiatives and governed by domestic member state law, may not qualify as such.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 307 (Oxford University Press 2020).</ref>
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The regulation contains further articles that directly or indirectly deliver definitions in its context, such as:
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’,
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’,
*[[Article 5 GDPR|Article 5(1)(c) GDPR]]: ‘data minimisation’,
*[[Article 5 GDPR|Article 5(1)(d) GDPR]]: ‘accuracy’,
*[[Article 5 GDPR|Article 5(1)(e) GDPR]]: 'storage limitation’,
*[[Article 5 GDPR|Article 5(1)(f) GDPR]]: ‘integrity and confidentiality’,
*[[Article 5 GDPR|Article 5(2) GDPR]]: ‘accountability’,
*[[Article 8 GDPR]]: ‘child’,
*[[Article 9 GDPR]]: ‘special categories of personal data’,
*[[Article 51 GDPR]]: ‘supervisory authority’,
*[[Article 68 GDPR]]: ‘European Data Protection Board’.
For further information check the commentary on the respective Articles.


==Decisions==
==Decisions==

Latest revision as of 11:58, 14 November 2024

Article 4: Definitions
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 4 - Definitions

For the purposes of this Regulation:

1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

3. ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;

4. ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

5. ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

6. ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

7. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

8. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

9. ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

10. ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

11. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

12. ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

13. ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

14. ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

15. ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

16. ‘main establishment’ means:

(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;
(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;

17. ‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;

18. ‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;

19. ‘group of undertakings’ means a controlling undertaking and its controlled undertakings;

20. ‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;

21. ‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;

22. ‘supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because:

(a) the controller or processor is established on the territory of the Member State of that supervisory authority;
(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
(c) a complaint has been lodged with that supervisory authority;

23. ‘cross-border processing’ means either:

(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

24. ‘relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;

25. ‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;

26. ‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

Relevant Recitals

Recital 14: Not Applicable to Legal Persons
The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.

Recital 15: Technologically Neutral Protection
In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation.

Recital 26: Applicable to Pseudonymous Data, Not Applicable to Anonymous Data
The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

Recital 27: Not Applicable to Deceased Persons
This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.

Recital 28: Pseudonymisation as a Measure of Data Protection
The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection.

Recital 29: Conditions for Pseudonymisation
In order to create incentives to apply pseudonymisation when processing personal data, measures of pseudonymisation should, whilst allowing general analysis, be possible within the same controller when that controller has taken technical and organisational measures necessary to ensure, for the processing concerned, that this Regulation is implemented, and that additional information for attributing the personal data to a specific data subject is kept separately. The controller processing the personal data should indicate the authorised persons within the same controller.

Recital 30: Online Identifiers
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

Commentary

Article 4 GDPR provides a list of definitions used to further specify relevant terms used throughout the GDPR.

Some definitions are taken from the preceding Directive 95/46/EC, allowing an understanding to build upon the already existing terms. Other definitions, however, are newly introduced, modified, or complemented with additional elements, and therefore require a new interpretation.

(1) Personal data

The principal concept of the GDPR is that of personal data’, as the Regulation only applies to personal data and refers to it throughout the text of the GDPR.

Its definition developed from a previously existing definition under Article 2 (a) Directive 95/46/EC.[1] The Directive itself derives the definition from Article 2 (a) Convention 108,[2] according to which "personal data means any information relating to an identified or identifiable individual".

The definition can be divided into the following four requirements: (1) ‘any information’; (2) ‘relating to’; (3) ‘an identified or identifiable’; (4) 'individual'. The fulfilment of all of these aspects is required in order to satisfy the notion of personal data.

Any information

With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.

In this regard, the German Constitutional Court already in 1983 stated that "Under the conditions of automatic data processing, there is no longer meaningless data."[3] This position is supported by the Commission, stating that "any item of data relating to an individual, harmless though it may seem, may be sensitive",[4] thereby also following the wish of the Council to keep the definition as general as possible.[5] Equally, the European Court of Human Rights stated that “private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”.[6]

Accordingly, personal data includes any information, no matter if it relates to the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.[7]

Example-icon.png

For example: Petra is keeping various information on her smartphone. This includes information that she does not seem to treat as private, as she even shares them online on widely available platforms, with her name attached, but there is also information about her love and sex life in chats, that she clearly feels are very private. In addition she keeps data in relation to her job as an independent contractor on her phone. The GDPR covers all such information - no matter if the information is trivial or extremely sensitive, private or related to her business.

The information can either be 'objective' such as unchangeable characteristics of a data subject as well as 'subjective' in the form of opinions or assessments.[8] It is thereby not necessary for the information to be true, proven or complete.[9] This means that also mere likeliness, predictions or planning information is covered by the GDPR, as long as it relates to a person.

Example-icon.png

For example: Petra is also customer of a bank with a private and a commercial bank account. The bank does not only hold her name, address, contact data or passport information, but also all her transaction data. In addition the bank also uses a system to predict if Petra may default on her loan. For the prediction the Bank uses information about unpaid bills from a third party provider. The information is actually incorrect, as Petra always paid her bills. All such data is covered by the GDPR, allowing Petra to e.g. use her rights under the GDPR to take action against incorrect information associated with her.

With regards to the format or medium of the information, data of any type - may it be alphabetical, numerical, (photo)graphical, acoustic - is included. This includes information on paper as well as information stored on a computer in binary form or on tape, such as video surveillance,[10] telebanking,[11] medical prescriptions,[12] or even child's drawings.[13] The GDPR deliberately does not specify the medium or types of information, following a 'tech neutral' approach.

Relating to

The information needs to relate to an individual. In accordance with the WP29,[14] the CJEU assesses this requirement based on three different criteria, i.e. "where the information, by reason of its content, purpose or effect, is linked to a particular person".[15]

The content of the information is 'relating to' a person when it is about a particular individual.[16] On the contrary, information relating to a larger group of people without any possibility to single out a individual is not related to a particular person.[17]

Example-icon.png

For example: A marketing company's system identifies twenty different groups within the French society. They assign different income levels, spending behaviours, and political views to these groups. This information is not covered by the GDPR. However, once the company assigns Felix's profile to such a group – claiming that he would be conservative, mid-level income, and open to spending his income on travels – this information now relates to Felix and is covered by the GDPR.

Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.[18] However, when information on objects also concerns individuals, it can relate to them indirectly. For example, the objective value of a house allows others to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.[19] Also, Geodata (like GPS data and coordinates) allows others to derive locations and movement patterns of individuals.[20] Equally, information from satellite images could be used to find out if a person can afford a large property or a swimming pool, provided that the image can be linked to an individual.[18] This is particularly relevant in the current technological landscape, considering the wealth of information which can be extracted from a growing number of personal devices, wearables and RFID-Chips, especially as these devices become increasingly associated to their owners or users.[21]

Example-icon.png

For example: A controller uses unique IDs of smart watches, smart phones and connected cars to collect information about the use of these devices. These devices are all used by a single person, so in fact the use of these devices also 'relate[s] to' a natural person.

Furthermore, the purpose of the information can determine whether it is 'related to a person', where it is used to change their particular status or behaviour.[22] Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.[23] The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.[24] For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation.[25]

Identified or identifiable

The person to which the information relates must also be identified or identifiable.

A person is "identified" when they can be directly distinguished or "singled out" from a larger group of persons, based on the information.[26] This can be achieved through several 'identifiers' listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the Working Party 29 like telephone number, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.[27] Note that the name of a person is therefore not necessarily required to identify an individual as there are often more unique identifiers.[28]

Example-icon.png

For example: A controller holds the phone number of data subjects, but not the names. The users are still 'identified' by that number and the GDPR applies.

Example-icon.png

For example: Example: 'Ursula Schmidt' is such a generic name, that it may not be identified or even identifiable without additional information or context. 'Ursula von der Leyen' may be so specific that it is identifiably the president of the European Commission.

A person is "'identifiable' when they have not been identified yet but where identification is possible through a combination of available pieces of information.[29] It can be unclear what is still 'identifiable' and what is not anymore. Different people may have different abilities to identify a person, and different contexts or situations may lead to different answers as to the person being identifiable. Recital 26 clarifies that "to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used... either by the controller or by another person to identify the natural person".

Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from any other entities to identify a person. However, the 'reasonable likeliness' of such information being used by the controller or a third party, narrows the approach. In this regard, Recital 26 adds that in order "to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification... the available technology at the time of the processing and technological developments".

In other words, while not all of the information required to identify the person needs to be in the hands of the controller[30] the mere hypothetical possibility to identify the person with the information from other entities is not sufficient.[31] Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual, taking into account the use of state-of-the art tools, available sources, costs, time, and effort requried to identify the individual. The assessment is factual and is not limited to lawful means to identify a person, when it is reasonably likely that an actor could also use unlawful ways to identify a person.

In C-582/14 Breyer the CJEU had to consider if IP addresses enable the identification of a natural person. The IP address is the number under which a computer or smartphone can be reached over the internet. Almost every controller exchanging information with a data subject over the internet will have to use the IP addresses. IP addresses can be dynamic (meaning the number is lost every 24 hours or every time a customer restarts their internet modem) or fixed (which means the number is always associated with the same customer). It may be that such a number is associated with a user account, in which case it becomes personal data. Even if the number itself may not be linkable by a controller, governments but also private entities may have legal powers to access subscriber details in relation to the IP-address. The CJEU found that even in such cases, the IP address can constitute personal data.[32]

CJEU-icon.png

"[A] dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data [...] in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person."

CJEU - C-582/14 - Breyer, margin number 49.

This example from case law shows that many data types may constitute personal data in one situation and not in another situation. Usually controllers and processors cannot, for example, determine if an IP address in their log files is dynamic or fixed. In practice this may mean that controllers or processors choose to treat all IP addresses as if they are personal data, to ensure compliance with the GDPR.

Furthermore, taking the increasing accessibility of information through means such as big data technologies and device fingerprinting into consideration, measures to successfully identify individuals are becoming increasingly effective.[33] Additionally, because more information is continuously added to individual data sets and stored over a longer period of time, persons are significantly more likely to be identified.[34]

Natural person

The right to data protection is not restricted to certain nationals or citizens of specific countries[35] but granted to all natural persons according to Article 8 of the EU Charter of Fundamental Rights ("Everyone has the right to the protection of personal data concerning him or her").[36]

Example-icon.png

For example: third country immigrant entered the EU illegally. Once she arrives she makes a WhatsApp call to inform her family back home that she is safe and is now in the EU. Given that the geographic application of Article 2 GDPR is now triggered, WhatsApp has to grant her all rights under the GDPR - independent of her immigration status or citizenship. This is because the GDPR follows a human rights approach.

Starting from this definition, national legislators usually limit it from to moment of birth to the death of a person.[37] Following up with the GDPR, information relating to deceased persons is then not considered personal data.[38] However, member states may provide alternative rules for the protection of deceased persons[39] which is usually achieved through further data protection, constitutional, or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through their relatives.[40] For more information, see also the commentary on Article 4(13) GDPR.

Example-icon.png

For example: The health records of a deceased patient are not protected by the GDPR. However, most EU Member States have various rules relating the the use of health data or civil law provisions in relation to the right to privacy that may still cover information of deceased persons.

As the definition is limited to natural persons, information on legal persons is also generally not covered by the definition of personal data.[41] However, related provisions from the ePrivacy-Directive,[42] national data protection laws, or constitutional laws sometimes grant alternative protection.[43] Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. This is particularly relevant where the information on a legal person allows one to derive information on a natural person. For example, a company name or mail address may be related to a natural person and therefore constitute personal data. This is especially common for smaller, family run, or one person businesses/enterprises.[44]

Example-icon.png

For example: 'Marta O'Connel's Plumbing of Limerick Ltd.' is a limited company and not directly considered a 'natural person' under the GDPR. However, the sole owner and manager is Marta O'Connel and there is also no other female plumber in the whole province of Limerick. Therefore, it is easy to identify the natural person behind the legal entity. Information about 'Marta O'Connel's Plumbing Ltd.' going bankrupt therefore clearly also relates to an identifiable natural person and is, as such, covered by the GDPR.

Anonymous data

Personal data is often contrasted with 'anonymous' data. Anonymous data is data relating to a person that is not identifiable. The GDPR does not protect such data and controllers or processors are free to use such data (unless there are limits under other applicable law).

Example-icon.png

For example: Employees can participate in an internal vote. The ballots are thrown into a ballot box and mixed. The votes are properly anoymized. In a digital system, data can be stored without any linked personal information (like the user IDs). If the remaining information is anoynmous data and not covered by the GDPR.

In practice, it gets increasingly hard to truly anonymise personal data, especially when data is not very limited and uniform, or can be connected with other available information. New methods and technologies, such as big data analytics and artificial intelligence, are able to match and connect information that humans may not identify as being related.

Example-icon.png

For example: In 2006 the internet company AOL released 20 million searches that were entered into its search engine over three months. The searches of users could be connected via an anonymous ID. As many users entered personal information in the search box, the New York Times was able to quickly find the relevant users. AOL deleted the file later, but it was already widely copied.

Some technical solutions that may be useful or even required under the GDPR (e.g. from a security perspective under Article 32 GDPR or as a means of data minimisation under Article 5(1)(c) GDPR) can get confused with techniques to truly anonymise data.

Example-icon.png

For example: A payment provider and an airline strike a cooperation deal. When customers enter an email address during the airline booking process and the payment provider has the same email address in its files, only the payment provider will be shown as a payment option. The airline pays a lower transaction fee in return. To limit the exchange of customer data, they agree to only share 'hashes' of the email, which is a cryptographic fingerprint of the email address. While you cannot regenerate the email address from the hash value, everyone in possession of the email address can calculate the same hash value and see that the hash matches the email address. The technicians tell their Data Protection Officer that they only exchange anonymous data and there are no privacy issues involved. The Data Protection Officer, however, realises that the airline can single out the relevant customers. The data is therefore personal data and the system falls under the GDPR.

Examples of personal data in the CJEU's case law

There are a number of data types that were already the subject of CJEU case law:

  • Name, date of birth, nationality, gender, ethnicity, religion and language;[45]
  • Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities;[46]
  • Municipality, information concerning the earned and unearned income and assets of a person;[47]
  • Salaries of employees of a public body;[48]
  • Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies;[49]
  • Working hours and times, as well as the corresponding breaks and intervals;[50]
  • Telephone numbers, employment and hobbies;[51]
  • Dynamic IP address;[52]
  • Video surveillance;[53]
  • The content of written exams;[54]
  • Fingerprints.[55]

As always, whether or not data is actually personal data is a matter of context and case-by-case analysis.

(2) Processing

Processing is another central requirement for the application of the GDPR. It is defined as "any operation or set of operations which is performed on personal data".

Any operation or set of operations

The notion of processing is formulated broadly by the GDPR as 'any operation or set of operations'. The inclusion of 'a set of operations' means that, within the GDPR, the word 'processing' may refer to a single processing operation or a set of any number of operations.

The term processing is further explained by a list of non-exhaustive examples:

  • Collection (targeted procurement of single pieces of data), such as offering online registrations or contact forms;[56]
  • Recording (continuous procurement of data flows), such as operating surveillance cameras or similar sensors;
  • Organisation (systematic ordering to enhance access and evaluation of information), such as the allocation of information within databases;
  • Structuring (ordering data according to certain criteria), e.g. in numeric or alphabetical order;[57]
  • Storage (saving information to a physical and readable format), such as information on paper, files, disks, drives or cloud servers;[58]
  • Adaptation (adjustments to the content of information according to specific criteria), e.g. updating information on age, address or income;[59]
  • Alteration (changes to the form or content of data), such as corrections, pseudonymisation or anonymisation;[60]
  • Retrieval (accessing stored information), for example loading information to be displayed on a device;[61]
  • Consultation (accessing stored information through targeted searches), such as using search routines to find and display data;[62]
  • Use (catch-all term for all active operations conducted on personal data), e.g. using addresses to deliver orders or mails;[63]
  • Disclosure by transmission ('pushing' information to recipients or other third parties), such as sharing customer information with another company;
  • Disclosure by dissemination (untargeted distribution of information to unlimited recipients), e.g. in newspapers, radio or tv broadcasting;[64]
  • Disclosure by otherwise making available (generally any other form of disclosure), such as providing information on websites or search engines;[65]
  • Alignment (comparison of information with other, specific requirements), such as grid investigations or ‘dragnet’ actions;
  • Combination (merging information), such as profiling (see also Article 4(4) GDPR);[66]
  • Restriction (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation of information on a website;[67]
  • Erasure (irreversible rendering of information impossible to access), such as overwriting data multiple times;[68]
  • Destruction (physically destroying the data carrier), such as shredding of files.[69]

The only major exception to the above is where the controller remains completely passive without taking any active action towards information that is imposed by the data subject.[70]

Performed on personal data

To be considered as 'processing' the operation in question has to be performed on personal data. Processing of other data does not fall under the definition.

Whether or not by automated means

Processing can be carried out by fully automated, semi-automated, or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.[71]

Example-icon.png

For example: A person manually enters names into a system. The names are processed. The data is then stored and never looked at again. Storage is also processing and needs to comply with the GDPR. After years the hard drive that the data was stored on gets shredded. The destruction equally constitutes processing.

(3) Restriction of processing

Restriction is a specific form of processing. The restriction of processing means neither a complete prohibition to process nor an erasure of personal data, it is best described as a freezing of personal data for a certain period of time.

Usually, restrictions to the processing of personal data occur when the data is not required for the purpose for which it was originally collected, but cannot be deleted due to legal obligations.[72] The restriction of processing can also be initiated by request of a data subject under the requirements of Article 18(1) GDPR or a data protection authority according to Article 58(2)(g) GDPR. For more information see the commentary on these provisions.

Example-icon.png

For example: Greta finds out that a credit ranking agency holds wrong information about her. As a consequence she cannot get a cell phone contract. The credit ranking agency has a huge backlog when correcting data. In the meantime the wrong information can be marked as contested and not used in the system.

Marking of stored personal data

The provision only applies to stored personal data. Personal data that is not at rest do not seem to be subject to a restriction of processing.

Marking the data is usually done by labels in systems or any other similar approach.

Aim of limiting their processing in the future

The restriction is not just limited to the marking of data, but must have the aim of limiting certain personal data only for very limited purposes.[73] In practice this means that systems also have to react to the marking and, for example, not include the data in other processing operations anymore.

Obviously the limitation can only have an effect in the future. The fact that the law only requires one to 'aim' for the limitation should not be understood that the limitation must not be fully implemented.

Implementation

Technically, the restriction is realized through markers on the data in question which block it from further processing in the future.[74] In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.[75] In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage system with access restrictions.[76]

Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.[77] In case, the data subject needs to be informed about the restriction of processing of their personal data according to Article 18(3) GDPR.

(4) Profiling

Profiling is a specific form of processing. The concept is used in various provisions of the GDPR such as its territorial application, see Article 3(2)(b) GDPR, or automated decision making, see Article 22 GDPR. Profiling also triggers information duties under Articles 13(2)(f) and 14(2)(g) GDPR; access rights under Article 15(1)(h) GDPR; or the the need to perform data protection impact assessments under Article 35(3)(a) GDPR.

Evaluation of personal aspects

Profiling is defined as a processing operation with the purpose of evaluating personal aspects of a natural person.

Despite the rather specific general meaning of 'profiling', there is no minimal threshold of how much data must be used to constitute profiling or how personal or sensitive the personal aspects should be. The definition is therefore very broad and includes any way of calculating personal aspects of individuals.

Profiling is typically done by the application of statistical-mathematical measures to personal data that produce analysis of predictions of personal aspects.[78]

Automatic processing

Manual review of personal data to evaluate personal aspects does not constitute profiling, as the definition requires 'automated processing'.

Exemplary list

The definition provides a non-exhaustive list over common types of profiling, such as:

  • performance at work;
  • economic situation;
  • health;
  • personal preferences;
  • interests;
  • reliability;
  • behaviour;
  • location; or
  • movements.

Practical examples of 'profiling' are therefore:

  • Creating customer preferences based on previous purchases or clicks;
  • Maintaining customer profiles for more efficient marketing;[79]
  • Operating systems for credit rating/scoring;[80]
  • Operating e-Recruitment Systems.[81]

(5) Pseudonymisation

Pseudonymisation is a form of processing that alters personal data so that identifying information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. The aim is to reduce risks for the data subjects and help controllers and processors to meet their obligations under the GDPR,[82] such as data minimisation or as part of a data security concept.

Pseudonymised data is a specific type of personal data and still falls under all relevant provisions of the GDPR. There are however some provisions that refer to pseudoymized personal data and treat it (slightly) different than personal data:

No longer attributed to a specific data subject

In order to count as pseudonymised data, the personal data must be processed in a way that cannot be attributed to specific data subject without the use of additional information. The pseudonymised data set itself, therefore. does not relate to an identified or identifiable person.

Additional information permitting attribution

Information allowing attribution of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.[83]

Implementation

Examples for the pseudonymisation of personal data include:

  • Replacement of names through ID’s, codes or aliases;[84]
  • Encryption of personal data;[85]
  • Hashing of personal data.[86]

Difference to anonymization

The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from sentences 3 and 4 of Recital 26 GDPR, considering the cost, time, and available technology required to identify the data subject. However, considering the recent emergence of big data analytics and advanced data processing capabilities, the process of anonymisation is becoming increasingly difficult.[87]

Common mistakes-icon.png

Common mistake: Pseudonymisation has to be distinguished from anonymisation. Anonymisation is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymised data.[88] Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore reversible.[89]

(6) Filing system

The definition of a 'filing system' is relevant for the application of the GDPR in cases of non-automated data processing (see Article 2(1) GDPR).

Set of personal data

A filing system is characterized through a structured set of personal data. The data can be stored within either single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require the storage of information on multiple persons. Storing structured information on a single person may qualify as filing system.[90]

Structured by specific criteria

A set of data is only a structured filing system if it is accessible according to specific criteria. The structure of the information must allow a targeted search of personal data.[91] For example, when personal data on a particular person is 'retrievable' it already satisfies this requirement.[92]

Typical examples

Examples are:

  • Paper archives, sorted by name, date or any other system;
  • Salary lists on employees;[93]
  • Saved letter-correspondence with customers;[94]
  • Covid-19-Guest-Lists sorted by date.[95]

(7) Controller

The controller is the main addressee of obligations under the GDPR. The controller is defined as the body that determines the purposes and means of the processing. This broad definition of the concept of controller is intended to ensure the effective and complete protection of data subjects.[96]

Objective approach

The GDPR foresees that the controller must be determined based on the objective facts of the case. This means that mere declarations in contracts, privacy notices and alike do not constitute a binding determination of controllership. The objective approach requires a detailed assessment, but also prevents so-called 'forum shopping' and responsibility shifting.

Any natural or legal person

A controller can be any natural or legal person, public authority, agency or other body. Everyone with legal capacity can be a controller when processing personal data, including individuals, private legal entities, or government entities. It is necessary to assign the determination of purpose and means (see below) to a responsible entity. Departments, individual establishments, or other elements that are not legally independent form one controller together with the legal entity that they belong to.[97]

It is after all a matter of national law if, for example, workers councils within a company or individual government entities form a legally separate body or not. If they are legally separate holders of rights and duties, they can form a separate controller.

If a person within the controller acts outside of their assigned capacity and processes personal data for their own purpose, their acts cannot be attributed to the controller and they become their own controller, with their own responsibilities of any processing operation they may undertake.[98]

Example-icon.png

For example: In Member State 'A' schools are their own legal entity. In Member State 'B' schools are part of the Ministry of Education and are not separate holders of rights. In Member State 'A' the school is typically the controller for processing operations within it, while in Member State 'B' the Ministry is typically the controller. If the computer science teacher in either school decides to use a school server to host his own private software project, the teacher is typically considered a separate controller.

Determination

The key element of the controller definition is the focus on the entity making the relevant determinations for any processing activity. The determinations of persons acting on behalf of an entity are attributed to that entity. It is necessary to review which entity, or element within an entity, objectively made determinations about the purpose and means. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.[99]

Merely formal declarations are not relevant. Especially in complex situations where many players are involved in the processing operation, the proper identification of the controller may prove to be complex.

Example-icon.png

For example: Company 'A' offers an app to users. The head of the IT department suddenly decides that personal data of users will be processed for the purpose of product improvement and advertisement of the app itself. The CEO of the company does not raise any objections. Company 'A' is the controller for the processing operations and ultimately responsible for complying with the GDPR.

Purposes

Personal data may only be processed for a specified, explicit and legitimate purpose (see Article 5(1)(b) GDPR). The body that decides over the purpose is typically the controller. The determination of the purpose it the primary element to review when determining controllership.[100]

Means

The means include the personal data that is processed to achieve the purpose; the duration of the processing; the recipients of personal data; as well as the technical means to process personal data, such as hardware or software.[101] The controller must only determine the means, but must not control them physically.

Example-icon.png

For example: A company uses an external service for statistical analysis. The systems of the external service collect personal data and calculate the results. The company does not even have access to the raw information. Nevertheless, the company has determined the purposes and means of the processing (including the described system) and is hence the controller.

Opening clause for a determination by EU or Member State law

Article 4(7) GDPR allows that specific EU or national law (lex specialis) may assign the controllership to a certain entity for specific processing operations. Such provisions typically define controllership when private entities act in the public interest or are fulfilling public tasks. The clause also allows Member States to clarify controllership among different public bodies or elements. Such explicit determinations in EU or national law should not be confused with generic national laws that assign certain duties to an entity without determining controllership itself.

In case national law makes such a determination, it should be ascertained whether that law specifies the controller or lays down the criteria applicable to its nomination.[102]

CJEU-icon.png

"It must also be stated that, having regard to the broad definition of the concept of ‘controller’ within the meaning of Article 4(7) of the GDPR, the determination of the purposes and means of the processing and, where appropriate, the nomination of that controller by national law may not only be explicit but also implicit. In the latter case, that determination must nevertheless be derived with sufficient certainty from the role, task and powers conferred on the person or entity concerned [...]"

CJEU - C-200/23 - Agentsia po vpisvaniyata, margin number 74..


Joint controllership

In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co-controllership’ the entities have to determine their respective responsibilities for the processing within an agreement according to Article 26 GDPR. Important, however, is utlimately the factual influence on the processing of the personal data[103] (see Recital 79 GDPR). In this regard, the participation and influence on the purpose and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.[104]

For example, a joint controllership is assumed between:

  • Search-Engine-Operators and the websites on which information is structured, presented and complemented with advertisements within search results;[105]
  • Facebook and the entity administering pages on the social network;[106]
  • Websites that integrated elements of a third-party controller, such as a ‘Like Button’.[107]

In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller, as required by Article 26 GDPR.

EDPB Guidelines: On this provision there are the Guidelines 07/2020 on the concepts of controller and processor in the GDPR

(8) Processor

In practice most controllers do not process all their personal data themselves, but use various external providers, such as hosting providers, SaaS providers or so-called 'Cloud' providers, that process data on their behalf. The GDPR regulates these 'processors', as well as the interplay between the controller and the processor.

Once an entity qualifies as a 'processor', many provisions of the GDPR apply, such as the required implementation of technical organizational measures (see Article 32 GDPR) as well as the possibility of being fined (see Article 82 GDPR). Of additional relevance is Article 28 GDPR, that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on Article 28(3) GDPR.

It should be noted that this definition includes the initial processor engaged directly by a controller as well as sub-processors along the processing chain (processors engaged by another processor).[108]

Any natural or legal person

Just like a controller, a processor can be any natural person, legal person, public authority, agency, or body. Internal units that process personal data on behalf of another department within the same legal entity (e.g. an IT department) are not processors, but are part of the controller.

Processing on behalf of the controller

The most important distinction is that, unlike the controller, the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.[109]

Sub-Processors

A special form of the processor is the 'sub-processor'. This is another processor, that is engaged by the processor. In theory there can be any number of sub-sub-processors. In practice such setups are very hard to manage for a controller. For further information see the commentary on Article 28(2) and (4) GDPR.

Distinction to a (joint) controller

In practice major IT companies (usually 'processors') are often more in control of processing operations than their commercial customers (usually 'controllers'). They usually offer a standard product with very specific terms and conditions, while many controllers may not. Therefore, it can be difficult to distinguish a 'joint controller' or 'co-controller' from a processor.

Roles are specific for each processing operation

Usually each processor also conducts processing operations where it is itself the controller. This is also the case whenever the processor acts against the orders of the controller and processes personal data for further purposes. In all these situations, it qualifies as a controller.[110]

Exemplary list

In this regard, the Working Party 29[111] provides some references as examples of controller-processor relationships:

  • Outsourcing of call centers for customer communications;[112]
  • Outsourcing of mail services;[113]
  • Cloud Hosting and grid computing;[114]
  • A separate entity specialized in data processing within a group of companies.[115]

EDPB Guidelines: On this provision there are the Guidelines 07/2020 on the concepts of controller and processor in the GDPR

(9) Recipient

The 'recipient' is an umbrella term and defined as anybody (like controllers, processors, third parties) to whom personal data is disclosed to. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.[116] The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,[117] the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind this is that the controller, whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.[118] Listing the recipients ensures that the data subject is fully informed as to the whereabouts of their personal data.

Any natural or legal person

Just like a controller or processor, a recipient can be any natural person, legal person, public authority, agency, or body. On the other hand, particular units within a company, such as the staff council or dependent establishments of the controller, are not considered recipients.[119]

Disclosure

The core element of the definition is the 'disclosure' of personal data. This includes any voluntary act of data sharing, including transmission, dissemination or otherwise making available (see Article 4(2) GDPR).[120]

Processors

There is an ongoing discussion as to whether a 'processor' can also be considered a 'recipient'. On the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.[121] However, the concept of the recipient is completely independent of the third-party.[122] With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, Article 28 GDPR does not relieve the controller to inform the data subjects about its processors as recipients according to Article 13 to 15 GDPR.[123]

Exception for public authorities

Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.[124] These inquiries, however, must be in the general interest and in accordance with Union or Member State law.[125]

(10) Third Party

The term 'third party' is used to describe anyone other than the data subject. This notion becomes relevant mostly in terms of evaluating interests, such as in Article 6 (1)(f) GDPR.[126]

Negative definition

'Third party' constitutes a negative definition, as any natural or legal person, public authority, agency, or body different from:

  • the data subject;
  • controller;
  • processors; or
  • any other person authorized to process personal data by the controller.

Dynamic classification of third parties

While an entity may be a third party may from the perspective a given controller, it may itself be a controller or processor for any processing operation it conducts itself. The notion of a 'third party' is therefore not absolute, but based on the circumstances of a certain processing operation.

Typical cases

Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.[127] Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.[128] Similarly, internal staff of the controller are not a third parties, unless the employee uses personal data for their own purposes outside of the employment context.[129] In this case, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.[130]

EDPB Guidelines: On this provision there are the Guidelines 07/2020 on the concepts of controller and processor in the GDPR

(11) Consent

Consent is one of the legal basis mentioned under Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data.

The requirements for consent require a joint reading of Articles 4(11), 6(1)(a), 7 and 8 GDPR.

EDPB Guidelines: on this provision there are EDPB Guidelines 05/2020 on consent under Regulation 2016/679

(12) Personal data breach

The definition of 'personal data breach' is relevant for the notification duties under Articles 33 and 34 GDPR.

Breach of security

The definition of a data breach requires a security breach, such as a failure of technical or organisational safeguards implemented by the controller according to Article 32 GDPR.

Accidental or unlawful

These failures can either be caused by accident (e.g. through mishandling of personal data by the controller, employees and alike) or by unlawful acts (e.g. targeted attacks, hacking or a physical break in).[131]

Destruction, loss, alteration, unauthorised disclosure, or access

As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.[132]

Although the transmission and storage of data are explicitly highlighted, any type of processing the concerned data is sufficient.[133]

Typical cases

Some examples for personal data breaches are:

  • Hacking-attacks on systems involving personal data;[134]
  • Missing access protection to data storages or buildings;[135]
  • Sending data to unintended recipients;[136]
  • Employees unlawfully distributing data to third parties;[137]
  • Accidentally publishing or leaking data on website;[138]
  • Loss of physical data carriers;[139]
  • Destruction of data storing infrastructure;[140]
  • Unrestorable encryption through Ransomware;[141]
  • Unlocked storage of employee files,[142]accidental or unlawful.

(13) Genetic data

‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions on growth, metabolism, appearance, disease or alike, both already existent or emerging in the future.[143] Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA), or ribonucleic acid (RNA) analyses.

The classification of genetic data is becoming relevant in terms of Article 9(1) GDPR, which only allows its processing under strict requirements.[144] This is due to the sensitive character of such data, allowing a unique identification of the data subject and, at the same time, revealing personal health data[145] on them and biological relatives.[146] Especially in terms of heritage diseases, genetic data carries a high risk of abuse in terms of employment and insurance.[147]

(14) Biometric data

‘Biometric data’ means data referring to the physical, physiological and behavioural characteristics of a natural person obtained from specific technical processing allowing for a unique identification. While this generally includes any means to analyse and measure the characteristics of humans,[148] the technical processing and unique identification requirements place higher burdens.

The definition itself uses facial images and fingerprints[149] as examples for biometric data. However, the requirement for specific technical processing ensures that simple pictures or even passport photographs shall not be considered as such.[150] Although, further processing through the application of facial recognition software would qualify the extracted information as biometric data. In this regard: IRIS Scanners; DNS-Comparisons; voice or gait pattern analyses;[151] as well as typing patterns or even handwritten signatures,[152] may be considered as biometric data.

Other data that does not allow an unique identification, such as body size or blood type, may not be considered biometric data.[153] However, these could then fall under the definition of ‘health data’ that offers similar protection to that afforded to biometric data, according to Article 9(1) GDPR.

(15) Data concerning health

‘Data concerning health’, or simply ‘health data’, means any data related to the physical or mental health of a natural person, especially the procurement of health care services revealing such information. According to Recital 35 GDPR, these include all data referring to the health status of the data subject from the past, present or future. In this regard, any information on diseases, risks and disabilities - in addition to medical treatment and history - of a particular natural person explicitly qualifies as health data.[154]

Examples for health data includes information about:

  • Addictions to alcohol, drugs or medications as well as the participation in self-help groups;[155]
  • Hospitalizations, sick notes and sick payments;[156]
  • Information the physical or mental invalidity to work;[157]
  • Data from health or fitness apps on eating or movement patterns, for example from wearables and smartphones.[158]

The notion of health data is therefore broader than ‘medicinal data’.[159] Furthermore, it strongly overlaps with the notions of genetic and biometric data,[160] in order to allow a seamless and high level of protection within the scope of Article 9 GDPR.[161] For further information, please check the commentary on Article 9 GDPR.

EDPB Guidelines: on this provision there are EDPB Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak

(16) Main establishment

If a controller or a processor have establishments in more than one member state, identifying its 'main establishment' is the first step to recognising the lead supervisory authority in a cross-border procedure under Article 56 GDPR.

Objective criteria

The main establishment of an entity must be determined according to objective criteria.[162] As the main establishment determines the relevant supervisory authority, the Working Party 29 stressed that the GDPR does not permit 'forum shopping' and conclusions cannot be based solely on statements by the controller or processor. The controller or processor’s analysis can be overturned based on an objective examination of the relevant facts.[163]

(a) Main establishment of a controller

General rule: central administration

As a general rule, the main establishment of a controller should be the place of its central administration in the Union, or in other words, "the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented".[164]

Recital 22 GDPR defines an establishment as "the effective and real exercise of activity through stable arrangements". The legal form of such arrangements is irrelevant. According to C-230/14 - Weltimmo, an establishment depends on "both the degree of stability of the arrangements and the effective exercise of activities in that other Member State [which] must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned".[165] In this regard, merely the presence of a single representative can constitute a stable arrangement, when they are acting with a sufficient degree of stability and have the necessary equipment to provide the specific services in the member states concerned.[166]

Exception: processing decisions in another establishment

If a controller’s main establishment is not the place of its central administration in the EU, the exception to the general rules kicks in. In this case it is necessary to determine the establishment based on where the effective and real exercise of main decisions on the purposes and means of processing take place.[167] It should depend neither on the place of the processing nor the use of technical means and technologies for processing personal data or processing activities. Instead, to determine the controller’s main establishment the Working Party 29 developed several guiding questions:[168]

  • Where are decisions about the purposes and means of the finally signed off’?
  • Where are decisions about business activities that involve data processing made?
  • Where does the power to have decisions implemented effectively lie?
  • Where is the Director with responsibility for cross border processing located?
  • Where is the controller or processor registered as a company?

(b) Main establishment of a processor

Central administration

Similarly to the rules for controllers, the main establishment of a processor located in multiple member states shall also be the place of its central administration.

See above for details on determining the central administration.

No central administration

However, when there is no central administration in the Union, the rules applying to processors are formulated differently. In such cases, the main establishment of a processor is where the main processing activities take place in a Union’s establishment subject to the obligations under GDPR. This implies that the processing of personal data does not need to be carried out by the relevant establishment itself, but only in in the context of its activities within the scope of the GDPR.[169]

The meaning of 'the context of activities' has already been specified in C-131/12 - Google Spain. The CJEU build on a broad definition of 'establishment' and clarified that merely the intention of a member state’s establishment to provide advertisement space for a third country undertaking constitutes processing of personal data in the context of the Union’s establishment.[170]

Following up on the CJEU judgement, the Working Party 29 specified that EU law may apply to data processing activities of controllers or processors established outside the EU "even if the local establishment is not actually taking any role in the data processing itself".[171] This reasoning can be based on an "inextricable link" between activities of an establishment in the EU and data processing by a non-EU controller or processor.[172]

Cases involving both the controller and the processor

Recital 36 GDPR explains that "in cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment". This is not reflected in the text of the relevant Articles.

For details see the commentary on Article 56 GDPR.

(17) Representative

Where a controller or a processor not established in the Union falls under the territorial scope of Article 3(2) GDPR due to processing activities related to data subjects in the Union, it must, in accordance with Article 27 GDPR, appoint a representative in the EU. Representatives are any legal or natural persons established in the union, designated by a controller or processor.

For more details and exceptions to the obligation to designate a representative see the commentary on Article 27 GDPR.

(18) Enterprise

An 'enterprise’ means any natural or legal person, partnerships or associations regularly engaged in economic activities. With this definition, the GDPR introduced a broad concept of an enterprise, irrespective of their size, legal form or interests pursued.[173] An enterprise requires a regular engagement in economic activities, which means activities intended to be carried out over a a long-term and not only in an occasional manner.[174] Being a 'small [or] medium enterprise' is a precondition for the waiver of the duties under of Articles 30(5) GDPR.

While the English version of the GDPR distinguishes between the ‘enterprise’ and ‘undertaking’ other language versions merged both into a single notion (like 'Unternehmen' in German or 'entreprise' in French).[175] This caused confusion around the assessment of fines according to Article 83 GDPR, which by English language refers to the term of undertaking in accordance with Articles 101, 102 TFEU and thereby not to the definition of Article 4(18) GDPR.[176] The broader definition of an 'undertaking', which includes parent companies and all subsidiaries, leads to higher fines for such structures, when the fine is calculated based on the global turnover.

(19) Group of undertakings

A group of undertakings consists of a leading ('controlling') entity and one or more thereof dependent ('controlled') entities.[177] The central characteristic for a group of undertakings is therefore, that one entity exerts a dominant influence over the others, for example through ownership or financial participation.[178] This is usually the case between a holding company and their subsidiaries.[179] In this regard, the mere possibility of exercising control over the the other entity is sufficient, a real exercise of such control is not necessary.[180] As long as one entity has the factual power to assert its will over the other entities,[181] they qualify as group of undertakings.[182]

Two undertakings are sufficient to form a group.[183] However, a controller giving mere instructions to a processor regarding the processing of personal data does not qualify as a group of undertakings.[184]

The classification as a group of undertakings becomes relevant for several provision across the GDPR, such as

  • The joint designation of a Data Protection Officer (Article 37(2) GDPR);
  • The formulation of binding corporate rules (Article 4(20) GDPR, Article 47 GDPR);
  • The data transfer for internal administrative purposes (Article 6(1)(f) GDPR) with Recital 48 GDPR);[185]
  • The determination of the main establishment (Article 4(16) GDPR, Recital 22 GDPR).

However, the notion is to be distinguished from a "group of enterprises engaged in a joint economic activity" who can jointly use binding corporate rules under Article 47 GDPR. These consist of separate and independent entities, which do not exercise control over each other,[186] and therefore cannot designate a single Data Protection Officer or rely on internal administrative data transfers.

(20) Binding corporate rules

Binding corporate rules (short ‘BCR’) are data protection policies formulated by controllers or processors established in the Union for transfers of personal data to entities within their group that are established outside the Union. In this regard, binding corporate rules constitute a legal basis to transfer personal data to third countries without an adequacy decision.[187] However, they only apply to intra-corporate transfers, i.e. between entities of the concerned group of undertakings or enterprises. Transfers to entities outside of these groups are not covered by binding corporate rules.

For more information on the requirements and the approval procedure of binding corporate rules, see the commentary on Article 47 GDPR.

(21) Supervisory authority

Supervisory Authorities ('SAs') or, colloquially, 'Data Protection Authorities' ('DPAs') are the independent public authorities responsible for monitoring the application of the GDPR under Article 51 GDPR. Member States can decide to provide only one or multiple supervisory authorities, to reflect their constitutional, organisational and administrative structure.[188]

Example-icon.png

For example: Austria, France and Ireland have a single supervisory authority for enforcing the GDPR. While the Irish and French supervisory authorities are also in charge of enforcing the ePrivacy Directive 2002/58/EC (Austria gave this power to the Telecoms Regulator). Germany has a federal supervisory authority and at least one authority for each of the sixteen German states. Some states have more than one authority, for different types of controllers.

Supervisory authorities act independently (see Article 52 GDPR) and shall be provided with various competencies (Articles 55, 56 GDPR), tasks (Article 57 GDPR) and powers (Article 58 GDPR). For further information, see the particular commentary on the named articles.

(22) Supervisory authority concerned

Only 'supervisory authorities concerned' have certain roles in the cooperation procedure under Articles 60 to 66 GDPR. Other supervisory authorities may not participate in the relevant procedures. Qualifying a supervisory authority as ‘concerned’ can result out of three situations as laid out by Article 4(22) GDPR:

  • For a controller or processor, when it is established in a member state of a supervisory authority,
  • for a data subject, when it is residing in the member state of a supervisory authority (likely) substantially affected by the processing of personal data, or
  • where a complaint has been lodged with that supervisory authority.

Controller or processor establishment

The DPA is concerned when a controller or processor is established in its jurisdiction. This implies any effective and real exercise of activity through stable arrangements,[189] independent of the form of such arrangements of an actual branch or subsidiary within the union.[190] This broad understanding is fostered by the EUCJ, including any real and effective activity exercised through stable agreements independently of their formalistic approach as an establishment.[191]

(Likely) Substantial affection of the data subject

A substantial affection, although not being further specified from the GDPR, indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.[192] On the contrary, merely the likelihood of such an impact is sufficient, and an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.[193] In any case, this requires the data subject to reside in the member state of the DPA and therefore to have at least stable links to the state as its permanent habitual centre.[194]

Filing a complaint with the supervisory authority

Filing a complaint with a particular supervisory authority makes them a ‘concerned’ authority. Since complaints can also be filed with DPAs different from where the data subject resides,[195] the supervisory authority can possibly be 'concerned' without the data subject having a residence within the EU or any (likely) substantial affection. For further information on filing a complaint with a supervisory authority, see the commentary on Article 77 GDPR.

(23) Cross-border processing

The definition of 'cross-border processing' is not intuitive, as not every form of cross-border processing is 'cross-border' under the GDPR. The limited definition in turn limits the application of the ‘one-stop-shop’ system, which is further described within the commentary of Article 56 GDPR.

(a) Processing in the context of establishments within multiple Member States

The notion of establishment is again to be interpreted broadly. It is any effective and real exercise of activities through stable arrangements,[196] independent of the formal declarations as a branch or subsidiary within the Union.[197] Furthermore, the processing is not required to be carried out within the establishment itself, but can also happen in the context of its activities. If the establishment in the EU is not directly processing the personal data, an extricable link between the activities of the establishment and the processing is already sufficient.[198] Only remote links to the processing in question may not involve another entity and therefore not form a ‘cross border processing’.[199]

(b) Processing (likely) to substantially affect data subject in multiple Member States

A substantial affection, again indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.[200] In this regard, the mere likelihood of such an impact is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case by case basis.[201]

(24) Relevant and reasoned objection

A ‘relevant and reasoned objection’ is an objection by a supervisory authority concerned[202] to a draft decision provided by a lead supervisory authority.[203] When such an objection is submitted by the supervisory authorities concerned, the lead supervisory authority can either follow the objection (see Article 60(4) GDPR) or submit the matter to the EDPB (see Article 65(4) GDPR).

In order to limit objections by other supervisory authorities,[204] Article 4(24) GDPR introduces a threshold to such objections being ‘relevant’ and ‘reasoned’. They must also 'clearly demonstrate' the 'significant risks' posed by the draft decision,[205] either for the fundamental rights and freedoms of data subjects or the free flow of personal data within the Union. As a consequence, it is not enough for a concerned supervisory authority to just raise a concern that a draft decision by the lead supervisory authority is unlawful.

For details see the commentary on Articles 60 and 65 GDPR.

(25) Information society service

For the definition on ‘information society service’ the GDPR refers to Article 1(1)(b) of Directive (EU) 2015/1535. The classification as information society service becomes relevant in several contexts of the GDPR, such as children’s consent (see Article 8(1) GDPR) or the right to object (see Article 21(5) GDPR).

At a distance

‘At a distance’ means that the service is provided without the parties being simultaneously present.[206] Thus, even when using electronic means, services provided within the physical presence of the recipient to the provider do not fall within this definition.[207]

Electronic means

‘By electronic means’ requires that the service is entirely sent and received via electronic equipment for the processing and storage of data, for example, through being transmitted by wire, radio, optical or other electromagnetic means.[208] While offline services are excluded from this definition,[209] composite services such as the selling of goods, advertising and gaming do qualify as such.[210]

Individual request

An ‘individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.[211] Services transmitting data to an unlimited number of individuals without their individual demand, such as radio broadcasting, television, and teletext are therefore not covered.[212] On the contrary, video-on-demand or pay-per-view services do qualify as information society services.[213]

Typical cases

Accordingly, most online services encountered nowadays fulfill the criteria of an information society service. Typical example are:[214]

  • Online legal or health services;
  • Online libraries or newspapers;
  • Online shopping and booking services;
  • Online media-platforms or video games;
  • Online search engines and web browsers.

(26) International organisation

An ‘international organisation’ means any organisation or subordinate bodies of such, which are governed either by public international law or set up by an agreement between two or more countries. The classification as international organisation is relevant in terms of the additional rules placed on data transfers, according to Articles 44-50 GDPR. While the Data Protection Directive only regulated data flows to third party countries, the GDPR now extends the applicability of these rules to international organisations as as well.[215] For more information on the principles and additional safeguards placed on such transfers, please see the commentary on Articles 45-49 GDPR.

While there is no universally accepted or further specified definition of the term coming from the GDPR, the overall definition from the Vienna Convention on the Law of Treaties from 1969,[216] serves as a source of inspiration for interpreting EU law according to the CJEU.[217] However, Article 2(1)(i) of the Convention defines international organisation as ‘intergovernmental organisation’, thereby failing to deliver a more specific definition. Moreover, since both options to reach an international organization, either through public international law or multilateral agreements, are not further delineated by the GDPR, a broad and flexible approach to the term is suggested.[218]

In this regard, most organizations, such as the United Nations (UN), the International Telecommunications Union (ITU), the World Trade Organization (WTO) as well as Interpol and Europol shall fall under the term.[219] However, these examples are not exhaustive and can be infinitely extended to other Internationals Organizations. Only NGOs, which are usually non-governmental organisations established as private initiatives and governed by domestic member state law, may not qualify as such.[220]

Decisions

→ You can find all related decisions in Category:Article 4 GDPR

References

  1. Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available here).
  2. Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, p. 19.
  3. German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available here).
  4. Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available here).
  5. Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available here); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available here).
  6. European Court of Human Rights. Amann v. Switzerland [GC], no. 27798/95.
  7. For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available here).
  8. WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.
  9. WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6; in fact, the GDPR provides tools to rectify incorrect information, see Article 16 GDPR.
  10. Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available here).
  11. In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available here).
  12. Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available here).
  13. A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available here).
  14. WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available here).
  15. CJEU,  Nowak, 20 December 2017, margin number 35 (available here).
  16. WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available here), for example medical records on a patient, or the file of an employee.
  17. Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).
  18. 18.0 18.1 Klar/Kühling/Herbst, in Kühling/Buchner, DS-GVO BDSG, Article 4(2) GDPR, margin number 38 (C.H. Beck 2020)
  19. See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available here).
  20. Ziebarth, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).
  21. Klar/Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).
  22. WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available here).
  23. WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available here).
  24. WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available here).
  25. WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available here).
  26. WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available here); Klar/Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available here).
  27. WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available here) with reference to the Commission.
  28. For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available here).
  29. WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available here).
  30. EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available here).
  31. WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available here).
  32. CJEU Case C‑582/14, Breyer, 19.10.2016, margin number 49 (available here).
  33. Klar/Bühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).
  34. Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available here).
  35. Recital 14 sentence 1 GDPR.
  36. Universal Declaration of Human Rights, 10 December 1948 (available here).
  37. However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available here).
  38. See Recital 27 sentence 1 GDPR.
  39. See Recital 27 sentence 2 GDPR.
  40. Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available here).
  41. Recital 14 sentence 2 GDPR.
  42. See Article 1 Directive 2002/58/EC.
  43. See Karg, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).
  44. Bygrave/Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).
  45. CJEU, C-141/12, YS and Others, 17 July 2014 (available here).
  46. CJEU, C-524/06, Huber, 16 December 2008 (available here).
  47. CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available here).
  48. CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available here).
  49. CJEU, C-101/01, Lindqvist, 6 November 2003 (available here).
  50. CJEU, C-342/12, Worten, 30 May 2013 (available here).
  51. CJEU, C-101/01, Lindqvist, 6 November 2003 (available here).
  52. CJEU, C-582/14, Breyer, 19 October 2016 (available here).
  53. CJEU, C-212/13, Ryneš, 11 December 2014 (available here).
  54. CJEU, C‑434/16, Nowak, 20 December 2017 (available here).
  55. CJEU, C‑291/12, Schwarz, 17 October 2013 (available here).
  56. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).
  57. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).
  58. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).
  59. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).
  60. Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).
  61. Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).
  62. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).
  63. Reimer, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).
  64. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).
  65. Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).
  66. Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).
  67. Recital 67 GDPR.
  68. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).
  69. Reimer, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).
  70. Pötters, Böhm, in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).
  71. Herbst, in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).
  72. Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).
  73. Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).
  74. Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).
  75. Recital 67 sentence 2 GDPR.
  76. Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).
  77. Recital 67 sentence 1 GDPR.
  78. Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).
  79. Recital 70 GDPR.
  80. Recital 71 sentence 1 GDPR.
  81. Recital 71 sentence 1 GDPR.
  82. Recital 28 sentence 1 GDPR, such as Hansen, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); Pötters, Böhm, in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).
  83. Pötters, Böhm, in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).
  84. Klar, Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and Ziebarth, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).
  85. Klar/Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 4(5) GDPR, margin number 9 (C.H. Beck 2020)
  86. Klar, Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).
  87. Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).
  88. Recital 26 GDPR.
  89. Hullen, Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.
  90. Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).
  91. Jahnel, in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).
  92. Jahnel, in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and CJEU, C-25/17, Johovan Todistajat, 10 July 2018 (available here).
  93. Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).
  94. Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).
  95. Jahnel, in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).
  96. CJEU, Case C-200/23, Agentsia po vpisvaniyata, 4 October 2024, margin number 72 (available here).
  97. Hartung, in Kühling, Buchner, DS-GVO BDSG, Article 4(7) GDPR, margin number 9 (C.H. Beck 2020), with further references.
  98. Hartung, Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 4(7) GDPR, margin number 10 (C.H. Beck 2020)
  99. WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available here).
  100. Jahnel, DSGVO, Article 4(7), marginal number 15, (Jan Sramek Verlag 2021)
  101. Jahnel, DSGVO, Article 4(7), marginal number 22, (Jan Sramek Verlag 2021)
  102. CJEU, Case C-200/23, Agentsia po vpisvaniyata, 4 October 2024, margin number 73 (available here).
  103. Hartung, in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).
  104. CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available here).
  105. CJEU, C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available here), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.
  106. CJEU, C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available here), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.
  107. CJEU, C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available here), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.
  108. EDPB, 'Opinion 22/2024 on certain obligations following from the reliance on processor(s) and sub-processor(s)', 7 October 2024, margin number 17 (available here).
  109. Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).
  110. Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).
  111. WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available here).
  112. WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available here).
  113. WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available here).
  114. WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available here) and Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).
  115. Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and Jahnel, in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).
  116. EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available here).
  117. More precise, Article 13(1)(e) GDPR, Article 14(1)(e) GDPR, Article 15(1)(c) GDPR.
  118. Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).
  119. Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).
  120. Hartung, in Kühling/Buchner, DS-GVO BDSG, Article 4(9) GDPR, margin number 6 (C.H. Beck 2020)
  121. See Article 4(8) GDPR and Article 4(10) GDPR.
  122. See Article 4(9) GDPR, “whether a third party or not“.
  123. Pötters, Böhm, in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).
  124. Article 4(9) sentence 2 GDPR.
  125. Recital 31 sentence 1 GDPR.
  126. See also Article 13(1)(d) GDPR, Article 14(2)(b) GDPR.
  127. Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).
  128. Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).
  129. EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available here); and Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).
  130. EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available here); and Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).
  131. Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).
  132. Mantz, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).
  133. Wording: “otherwise processed”.
  134. Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).
  135. Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).
  136. Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).
  137. Mantz, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 180 (Nomos 2018).
  138. Mantz, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).
  139. Mantz, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018); Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).
  140. Mantz, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).
  141. Mantz, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).
  142. Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).
  143. Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin numbers 106, 108 (Carl Heymanns Verlag 2018).
  144. Additionally, member states may maintain or introduce further conditions and limitations for the processing of genetic data, Article 9(4) GDPR.
  145. Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017).
  146. Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017); Kampert, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 182 (Nomos 2018).
  147. Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 96 (C.H. Beck 2018).
  148. Usually through the creation of referential patterns that are than compared with the data subject later for unique identification, see Kampert, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 183 (Nomos 2018).
  149. Also called 'Dactyloscopic data'.
  150. Recital 51 GDPR, “The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person”.
  151. Kampert, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).
  152. Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 111 (Carl Heymanns Verlag 2018).
  153. Kampert, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).
  154. Recital 35 sentence 2 GDPR.
  155. Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and Sydow, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).
  156. Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and Sydow, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).
  157. Petri, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 15 GDPR, margin number 5 (NOMOS 2019).
  158. Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 118 (Carl Heymanns Verlag 2018).
  159. Pötters, Böhm, in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 59 (Deutscher Fachverlag 2018); Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018).
  160. See Recital 35, “Personal data concerning health should include […] information derived from the testing or examination of one’s body, substances, such as genetic and biological samples”.
  161. However, in some cases (e.g. the public health sector) sensitive data can be necessary to be processed without the data subjects consent, see Recital 54 GDPR.
  162. WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available here).
  163. WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available here).
  164. WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 5 (available here).
  165. CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 29 (available here).
  166. CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 30 (available here).
  167. WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 6 (available here).
  168. WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available here).
  169. Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 235 (Oxford University Press 2020).
  170. CJEU, C-131/12, Google Spain, 13 May 2014, margin number 55 (available here).
  171. WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available here).
  172. WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available here).
  173. Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 127 (Carl Heymanns Verlag 2018).
  174. Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 129 (Carl Heymanns Verlag 2018).
  175. For example, in German ("Unternehmen"), in French ("entreprise") and in Spanish ("empresa").
  176. See Recital 150 sentence 3 GDPR.
  177. Recital 37 sentence 1 GDPR.
  178. Recital 37 sentence 1 GDPR.
  179. Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 58 (C.H. Beck 2017).
  180. Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 76 (ottoschmidt 2018).
  181. For example through to have personal data protection rules implemented; see Recital 37 sentence 1 GDPR.
  182. Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 78 (ottoschmidt 2018).
  183. Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 80 (ottoschmidt 2018).
  184. Ziebarth, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 221 (Nomos 2018).
  185. Pötters/Böhm, in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 70 (Deutscher Fachverlag 2018), as “group privilege light”.
  186. Feiler, Forgó, EU-DSGVO, Article 4 GDPR, margin number 49 (Verlag Österreich 2017).
  187. See Article 46(2)(b) GDPR.
  188. Recital 117 GDPR.
  189. See Recital 22 sentence 2 GDPR.
  190. Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 275 (Oxford University Press 2020).
  191. EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.
  192. Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 276 (Oxford University Press 2020).
  193. For a list of relevant criteria, see Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).
  194. Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).
  195. See Recital 124 sentence 3 GDPR.
  196. See Recital 22 sentence 2 GDPR.
  197. Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 282 (Oxford University Press 2020); and again EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.
  198. Google, EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 53, 56; EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 25.
  199. For example, some commercial activity may be too far removed from the processing of personal data by an entity to bring the data processing non-EU entity within the scope of EU data protection law, see EDPB, Guidelines 3/2018 on the territorial scope of the GDPR, 12 November 2019, p. 7 f. (available here).
  200. Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 284 (Oxford University Press 2020).
  201. For a list of relevant criteria, see Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 285 (Oxford University Press 2020).
  202. See Article 4(22) GDPR.
  203. See Article 56 GDPR.
  204. Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 289 f. (Oxford University Press 2020).
  205. Especially regarding the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union, see Article 4(24) GDPR.
  206. Article 1(1)(b)(i) Directive (EU) 2015/1535.
  207. For example, surgeries making use of electronic equipment, electronic catalogues or ticket reservations within a shop, electronic video arcade games, see Annex I(1.) Directive (EU) 2015/1535.
  208. Article 1(1)(b)(ii) Directive (EU) 2015/1535.
  209. See also see Annex I(2.) Directive (EU) 2015/1535.
  210. Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 298 (Oxford University Press 2020); and WP29, Guidelines on consent under Regulation 2016/679, WP259 rev.01, 10 April 2018, p. 24 (available here).
  211. Article 1(1)(b)(iii) Directive (EU) 2015/1535.
  212. See Annex I(3.) Directive (EU) 2015/1535.
  213. EUCJ, C-89/04, Mediakabel, 2 June 2005, margin numbers 38-39 (available here).
  214. Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 301 (Oxford University Press 2020).
  215. See Schröder, in Kühling, Buchner, DS-GVO BDSG, Article 4 26 GDPR, margin number 2 (C.H. Beck 2020).
  216. Available here.
  217. CJEU, C-386/08, Brita, 25 February 2010, margin number 42 (available here); see also Bygrave/Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 305 (Oxford University Press 2020).
  218. Bygrave/Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 305 (Oxford University Press 2020).
  219. Bygrave/Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p.306 (Oxford University Press 2020).
  220. Bygrave/Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 307 (Oxford University Press 2020).