Article 4 GDPR: Difference between revisions
mNo edit summary |
(Typos) |
||
Line 256: | Line 256: | ||
==Commentary== | ==Commentary== | ||
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. | Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR. | ||
Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. | Some definitions are taken from the preceding [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN Directive 95/46/EC], allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation. | ||
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation | In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation other language versions may be consulted to identify and resolve discrepancies. | ||
===(1) Personal Data=== | ===(1) Personal Data=== | ||
Line 275: | Line 273: | ||
In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]). | In this regard, the German Constitutional Court already in 1983 stated that "<cite>Under the conditions of automatic data processing, there is no longer meaningless data.</cite>"<ref>German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available [https://www.bverfg.de/e/rs19831215_1bvr020983.html here]). | ||
</ref> This position | </ref> This position is supported by the Commission, stating that <cite>''"any item of data relating to an individual, harmless though it may seem, may be sensitive"''</cite>,<ref>Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:51990DC0314 here]).</ref> thereby also following the wish of the Council to keep the definition as general as possible.<ref>Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available [https://aei.pitt.edu/10375/1/10375.pdf here]); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Already the European Court of Human Rights stated that: | ||
:<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref> | :<cite>“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”</cite><ref>European Court of Human Rights. ''Amann v. Switzerland'' [GC], no. [http://hudoc.echr.coe.int/eng?i=001-58497 27798/95]</ref> | ||
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref> | Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.<ref>For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 here]).</ref> The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.</ref> It is thereby not necessary for the information to be true, proven or complete.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf#page=6 p. 6]; in fact, the GDPR provides tools to rectify incorrect information, see [[Article 16 GDPR]].</ref> | ||
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> | With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,<ref>Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> telebanking,<ref>In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> medical prescriptions<ref>Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> or even child's drawings.<ref>A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> | ||
'''Relating To''' | '''Relating To''' | ||
The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its content, purpose or effect, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref> | The information needs to relate to an individual. In accordance with the WP29<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> the CJEU assesses this requirement based on three different criteria, i.e. “''where the information, by reason of its <u>content</u>, <u>purpose</u> or <u>effect</u>, is linked to a particular person''.”<ref>CJEU, Nowak, 20 December 2017, margin number 35 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1067970 here]).</ref> | ||
The content of the information is | The content of the information is 'relating to' a person when it is about a particular individual.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]), for example medical records on a patient, or the file of an employee</ref> On the contrary, information relating to a bigger group of person without any possibility to single out a individual is not related to a particular person.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).</ref> Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.</ref> However, when information on objects also concerns individuals, it can relate to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.<ref>See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); ''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).</ref> Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.<ref>''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).</ref> | ||
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation | Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.<ref>WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf here]).</ref> The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> | ||
'''Identified or Identifiable''' | '''Identified or Identifiable''' | ||
Line 294: | Line 292: | ||
The person to which the information relates must also be identified or identifiable. | The person to which the information relates must also be identified or identifiable. | ||
A person is “identified” where it can be distinguished or | A person is “identified” where it can be distinguished or 'singled out' from a bigger group of persons from the information directly.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]); ''Klar/Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> This is usually achieved through several 'identifiers' listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the Working Party 29 like telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf; here]) with reference to the Commission.</ref> Note that the name of a person is therefore not necessarily required to identify an individual given such typically more unique identifiers.<ref>For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> | ||
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. | A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, Recital 26 sentence 3 GDPR states “''to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.''” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. In this regard, Recital 26 sentence 4 GDPR adds that in order “''to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.''” | ||
In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective | In other words, while not all of the information required to identify the person needs to be in the hands of the controller<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]).</ref> the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.<ref>WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitor.<ref>EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available [https://curia.europa.eu/juris/liste.jsf?num=C-582/14 here]); similar for cookies and device fingerprinting, see ''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).</ref> | ||
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> | Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.<ref>''Klar/Bühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).</ref> Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.<ref>Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> In this regard, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR. | ||
'''Natural Person''' | '''Natural Person''' | ||
Line 306: | Line 304: | ||
The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref> | The right to data protection is not restricted to certain nationals or citizens of specific countries<ref>Recital 14 sentence 1 GDPR</ref> but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “''Everyone has the right to recognition everywhere as a person before the law''”.<ref>Universal Declaration of Human Rights, 10 December 1948 (available [https://www.un.org/en/about-us/universal-declaration-of-human-rights here]).</ref> | ||
Starting from this definition, national legislators usually | Starting from this definition, national legislators usually limit it from to moment of birth to the death of a person.<ref>However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> Following up with the GDPR, information relating to deceased persons is then not considered personal data.<ref>See Recital 27 sentence 1 GDPR.</ref> However, member states may provide alternative rules for the protection of deceased persons<ref>See Recital 27 sentence 2 GDPR.</ref> which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.<ref>Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf here]).</ref> For more information, see also the commentary on Article 4(13) GDPR. | ||
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref> | As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.<ref>Recital 14 sentence 2 GDPR.</ref> However, related provisions from the ePrivacy-Directive,<ref>See Article 1 [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058 Directive 2002/58/EC]</ref> national data protection laws or constitutional laws can grant alternative protection.<ref>See ''Karg'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).</ref> | ||
Line 312: | Line 310: | ||
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref> | Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).</ref> | ||
'''Further Examples | '''Further Examples of Personal Data Subject to the CJEU''' | ||
*Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref> | *Name, date of birth, nationality, gender, ethnicity, religion and language<ref>CJEU, C-141/12, YS and Others, 17 July 2014 (available [https://curia.europa.eu/juris/liste.jsf?num=C-141/12 here]).</ref> | ||
*Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref> | *Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities<ref>CJEU, C-524/06, Huber, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-524/06 here]).</ref> | ||
*Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref> | *Municipality of residence, information concerning the earned and unearned income and assets of that person<ref>CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-73/07 here]).</ref> | ||
*Data | *Data which relate both to the monies paid by certain bodies and the recipients<ref>CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-465/00&language=de here]). </ref> | ||
*Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref> | *Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies<ref>CJEU, C-101/01, Lindqvist, 6 November 2003 (available [https://curia.europa.eu/juris/liste.jsf?num=C-101/01 here]).</ref> | ||
Line 340: | Line 338: | ||
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref> | Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.<ref>''Herbst'', in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).</ref> | ||
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations | The notion of processing is formulated broadly by the GDPR through an enumeration of several operations: | ||
*'''Collection''' (targeted procurement of single pieces of data), such as offering | *'''Collection''' (targeted procurement of single pieces of data), such as offering online registrations or contact forms<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).</ref> | ||
*'''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors | *'''Recording''' (continuous procurement of data flows), such as operating surveillance cameras or similar sensors | ||
*'''Organisation''' (systematic ordering that enhance access and evaluation of information), such as | *'''Organisation''' (systematic ordering that enhance access and evaluation of information), such as the allocation of information within databases | ||
*'''Structuring''' (ordering data according to certain criteria), | *'''Structuring''' (ordering data according to certain criteria), e.g. in numerically or alphabetical order<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).</ref> | ||
*'''Storage''' (saving information to a physical and readable format), such as | *'''Storage''' (saving information to a physical and readable format), such as on information on paper, files, disks, drives or cloud servers<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).</ref> | ||
*'''Adaptation''' (adjustments to the content of information according to specific criteria), | *'''Adaptation''' (adjustments to the content of information according to specific criteria), e.g. updating to information on age, address or income<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).</ref> | ||
*'''Alteration''' (changes to the form or content of data), such as corrections, pseudonymisation or anonymization | *'''Alteration''' (changes to the form or content of data), such as corrections, pseudonymisation or anonymization<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).</ref> | ||
*'''Retrieval''' (accessing stored information), | *'''Retrieval''' (accessing stored information), for example loading information to be displayed on a device<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).</ref> | ||
*'''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data | *'''Consultation''' (accessing stored information through targeted searches), such as using search routines to find and display data<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).</ref> | ||
*'''Use''' (catching term for all active operations conducted on personal data), | *'''Use''' (catching term for all active operations conducted on personal data), e.g. using addresses to deliver orders or mails<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).</ref> | ||
*'''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer | *'''Disclosure by transmission''' (“pushing” information to recipients or other third parties), such as sharing customer information with another company | ||
*'''Disclosure by dissemination''' (untargeted distribution of information to | *'''Disclosure by dissemination''' (untargeted distribution of information to unlimited recipients), e.g. in newspapers, radio or tv broadcasting<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).</ref> | ||
*'''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on | *'''Disclosure by otherwise making available''' (generally any other form of disclosure), such as providing information on websites or search engines<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).</ref> | ||
*'''Alignment''' (comparison of information with other, specific requirements), such as grid investigations | *'''Alignment''' (comparison of information with other, specific requirements), such as grid investigations or ‘dragnet’ actions | ||
*'''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR) | *'''Combination''' (merging information), such as profiling (see also Article 4(4) GDPR)<ref>''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).</ref> | ||
*'''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation | *'''Restriction''' (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation of information on a website<ref>Recital 67 GDPR.</ref> | ||
*'''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times | *'''Erasure''' (irreversible rendering of information impossible to access), such as overwriting data multiple times<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); ''Roßnagel'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).</ref> | ||
*'''Destruction''' (physically destroying the data carrier), such as shredding of files | *'''Destruction''' (physically destroying the data carrier), such as shredding of files<ref>''Reimer'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).</ref> | ||
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref> | Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).</ref> | ||
Line 389: | Line 387: | ||
*Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref> | *Operating e-Recruitment Systems<ref>Recital 71 sentence 1 GDPR.</ref> | ||
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR | Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR such as its territorial application, see [[Article 3 GDPR|Article 3(2)(b) GDPR]], Recital 24 GDPR, or automated decision making, [[Article 22 GDPR]]. In any case, the data subject has to be informed on the existence of profiling by the controller.<ref>Recital 60 sentence 3 GDPR.</ref> | ||
'''<u>Relevant Recitals</u>''' | '''<u>Relevant Recitals</u>''' | ||
Line 430: | Line 428: | ||
The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref> | The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).</ref> | ||
Examples are: | |||
*Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref> | *Salary lists on employees<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).</ref> | ||
Line 440: | Line 438: | ||
===(7) Controller=== | ===(7) Controller=== | ||
The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> In this regard, it the controller is to be distinguished from the processor, which is explained | The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> In this regard, it the controller is to be distinguished from the processor, which is further explained in Article 4(8) GDPR. | ||
The responsibilities of the controller are defined in [[Article 24 GDPR]]. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR. | The responsibilities of the controller are defined in [[Article 24 GDPR]]. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR. | ||
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co controllership’ | In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co-controllership’ the entities have to determine their respective responsibilities for the processing within an agreement according to [[Article 26 GDPR]]. Important, however, is utlimately the factual influence on the processing of the personal data<ref>''Hartung'', in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).</ref> see Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.<ref>CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ013 here]).</ref> | ||
For example, a joint controllership is assumed between | For example, a joint controllership is assumed between | ||
Line 462: | Line 460: | ||
The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref> Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref> | The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).</ref> Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).</ref> | ||
Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> | Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> provides some examples as references for controller-processor relationships: | ||
*Outsourcing of Callcenters for Customer Communications<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> | *Outsourcing of Callcenters for Customer Communications<ref>WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf here]).</ref> | ||
Line 469: | Line 467: | ||
*A Separated Entity Specialized in Data Processing within a Group of Companies<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref> | *A Separated Entity Specialized in Data Processing within a Group of Companies<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and ''Jahnel'', in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).</ref> | ||
When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of | When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see [[Article 32 GDPR]]) as well as the possibility of being fined (see [[Article 82 GDPR]]). Of additional relevance is [[Article 28 GDPR]], that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on [[Article 28 GDPR|Article 28(3) GDPR]]. | ||
A special form of the processor is the ‘sub processor’ engaged by the processor | A special form of the processor is the ‘sub processor’ engaged by the processor which requires another processing agreement and authorisation through the controller. For further information see the commentary on [[Article 28 GDPR|Article 28(2),(4) GDPR]]. | ||
'''<u>Relevant Recitals</u>''' | '''<u>Relevant Recitals</u>''' | ||
Line 483: | Line 481: | ||
In this regard, it is discussed, whether a processor is also a recipient. One the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.<ref>See Article 4(8) GDPR and Article 4(10) GDPR.</ref> However, the concept of the recipient is completely independent of that of the third-party.<ref>See Article 4(9) GDPR, “whether a third party or not“.</ref> With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, [[Article 28 GDPR]] does not relieve the controller to inform the data subjects about its processors as recipients according to [[Article 13 GDPR|Article 13 to 15 GDPR]].<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).</ref> | In this regard, it is discussed, whether a processor is also a recipient. One the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.<ref>See Article 4(8) GDPR and Article 4(10) GDPR.</ref> However, the concept of the recipient is completely independent of that of the third-party.<ref>See Article 4(9) GDPR, “whether a third party or not“.</ref> With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, [[Article 28 GDPR]] does not relieve the controller to inform the data subjects about its processors as recipients according to [[Article 13 GDPR|Article 13 to 15 GDPR]].<ref>''Pötters, Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).</ref> | ||
Not considered | Not considered as recipient are, on the other hand, particular units within a company, such as the staff council or dependent establishments of the controller.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).</ref> The wording of the provision suggests that the entity requires a particular degree of sovereignty in order to count as recipient.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 57 (C.H. Beck 2018) and ''Regenhardt'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 156 (Nomos 2018).</ref> Units that are inseparable part of the internal structure of the controller are therefore not to classify as recipients. | ||
Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref> | Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.<ref>Article 4(9) sentence 2 GDPR.</ref> These inquiries, however, must be in the general interest and in accordance with Union or Member State law.<ref>Recital 31 sentence 1 GDPR.</ref> | ||
Line 493: | Line 491: | ||
The concept of a third party complements the previously defined entities. It constitutes a negative delimitation, as any person different from the data subject, controller, processor or any other person authorized to process personal data by the controller. Its notion becomes mainly relevant in terms of evaluating of interests, such as in Article 6 (1)(f) GDPR.<ref>See also [[Article 13 GDPR|Article 13(1)(d) GDPR]], [[Article 14 GDPR|Article 14(2)(b) GDPR]].</ref> | The concept of a third party complements the previously defined entities. It constitutes a negative delimitation, as any person different from the data subject, controller, processor or any other person authorized to process personal data by the controller. Its notion becomes mainly relevant in terms of evaluating of interests, such as in Article 6 (1)(f) GDPR.<ref>See also [[Article 13 GDPR|Article 13(1)(d) GDPR]], [[Article 14 GDPR|Article 14(2)(b) GDPR]].</ref> | ||
Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).</ref> Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).</ref> Similarly, internal staff of the controller is not a third party, unless the employee uses personal data for own purposes outside of the employment context.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).</ref> In this | Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).</ref> Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).</ref> Similarly, internal staff of the controller is not a third party, unless the employee uses personal data for own purposes outside of the employment context.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).</ref> In this case, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.<ref>''EDPB'', Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf here]); and ''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).</ref> | ||
'''<u>Relevant Recitals</u>''' | '''<u>Relevant Recitals</u>''' | ||
Line 511: | Line 509: | ||
Examples where asymmetries of power and bundled consent usually occur are: | Examples where asymmetries of power and bundled consent usually occur are: | ||
*Relationships with | *Relationships with public authorities<ref>Recital 43 sentence 1 GDPR, and ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 98 (Carl Heymanns Verlag 2018).</ref> | ||
*Employer- | *Employer-employee-relationships<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 71 (C.H. Beck 2018).</ref> | ||
* Use of | * Use of major digital services with limited alternatives<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 73, 76 (C.H. Beck 2018).</ref> | ||
'''Informed''' | '''Informed''' | ||
Line 524: | Line 522: | ||
'''Unambiguous''' | '''Unambiguous''' | ||
Consent must be given unambiguously in the form of clear and affirmative action. Silence, pre-ticked boxes or inactivity should not constitute consent.<ref>Recital 32 sentence 3 GDPR.</ref> This has been stressed through recent case law by the Court of Justice | Consent must be given unambiguously in the form of clear and affirmative action. Silence, pre-ticked boxes or inactivity should not constitute consent.<ref>Recital 32 sentence 3 GDPR.</ref> This has been stressed through recent case law by the Court of Justice where a pre-checked checkbox which the user must deselect to refuse his or her consent cannot demonstrate active behaviour.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/1 here]).</ref> | ||
'''Withdrawal''' | '''Withdrawal''' | ||
Line 532: | Line 530: | ||
'''Capacity''' | '''Capacity''' | ||
Generally, consent must be given directly by the data subject or a nominated representative.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).</ref> In the case of minors, the ability to consent is based on the individual cognitive faculty of the data subject.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin number 67 (C.H. Beck 2020); ''Ernst'', Die Einwilligung nach der Datenschutzgrundverordnung, in Zeitschrift für Datenschutz, 03/07, (2017), p. 111.</ref> In the online context, [[Article 8 GDPR|Article 8(1) GDPR]] provides a minimum age of 16 | Generally, consent must be given directly by the data subject or a nominated representative.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).</ref> In the case of minors, the ability to consent is based on the individual cognitive faculty of the data subject.<ref>''Bucher, Kühling'', in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin number 67 (C.H. Beck 2020); ''Ernst'', Die Einwilligung nach der Datenschutzgrundverordnung, in Zeitschrift für Datenschutz, 03/07, (2017), p. 111.</ref> In the online context, [[Article 8 GDPR|Article 8(1) GDPR]] provides a minimum age of 16 while member states may not reduce that age limit to below 13. | ||
'''Explicit Consent''' | '''Explicit Consent''' | ||
The more qualified form of ‘explicit’ consent is required within several other provisions across the GDPR. For more | The more qualified form of ‘explicit’ consent is required within several other provisions across the GDPR. For more information check the commentary on [[Article 9 GDPR|Article 9(2)(a) GDPR]], [[Article 22 GDPR|Article 22(2)(c) GDPR]] and [[Article 49 GDPR|Article 49(1) GDPR]]. | ||
'''<u>Relevant Recitals</u>''' | '''<u>Relevant Recitals</u>''' | ||
Line 549: | Line 547: | ||
Moreover, it requires a security breach within that processing. Such are any failures of technical or organizational safeguards implemented by the controller according to [[Article 32 GDPR]]. These failures can either be caused through targeted attacks from other parties or through mishandling of personal data through the controller or persons instructed, such as its employees.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).</ref> Some examples for security breaches are: | Moreover, it requires a security breach within that processing. Such are any failures of technical or organizational safeguards implemented by the controller according to [[Article 32 GDPR]]. These failures can either be caused through targeted attacks from other parties or through mishandling of personal data through the controller or persons instructed, such as its employees.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).</ref> Some examples for security breaches are: | ||
*Hacking- | *Hacking-attacks on systems involving personal data<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref> | ||
*Missing access protection to data storages or buildings | *Missing access protection to data storages or buildings<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref> | ||
*Sending data to unintended recipients | *Sending data to unintended recipients<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref> | ||
*Employees unlawfully distributing data to third parties | *Employees unlawfully distributing data to third parties<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 180 (Nomos 2018).</ref> | ||
*Accidentally publishing or leaking data on website | *Accidentally publishing or leaking data on website<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref> | ||
*Loss of physical data carriers | *Loss of physical data carriers<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018); ''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref> | ||
*Destruction of data storing infrastructure | *Destruction of data storing infrastructure<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref> | ||
*Unrestorable encryption through Ransomware | *Unrestorable encryption through Ransomware<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).</ref> | ||
*Unlocked storage of employee files | *Unlocked storage of employee files<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).</ref> | ||
As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref> | As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.<ref>''Mantz'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).</ref> | ||
The notion of a personal data breach becomes especially relevant in terms of notification and communication obligations for controllers to data subjects and DPAs according to [[Article 33 GDPR|Articles 33, 34 GDPR]]. In this regard, the EDPB can issue guidelines, recommendations and best practices for handling personal data breaches, [[Article 70 GDPR|Article 70(1)(g)(h) GDPR]].<ref>See EDPB, Guidelines 01/2021 on Examples regarding Data Breach Notification, 14 January 2021 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf here]).</ref> | The notion of a personal data breach becomes especially relevant in terms of notification and communication obligations for controllers to data subjects and DPAs according to [[Article 33 GDPR|Articles 33, 34 GDPR]]. In this regard, the EDPB can issue further guidelines, recommendations and best practices for handling personal data breaches, [[Article 70 GDPR|Article 70(1)(g)(h) GDPR]].<ref>See EDPB, Guidelines 01/2021 on Examples regarding Data Breach Notification, 14 January 2021 (available [https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf here]).</ref> | ||
===(13) Genetic Data=== | ===(13) Genetic Data=== | ||
‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions the growth, metabolism, appearance, diseases or alike, both already existent or entering in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin numbers 106, 108 (Carl Heymanns Verlag 2018).</ref> Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analyses. | ‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions on the growth, metabolism, appearance, diseases or alike, both already existent or entering in the future.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin numbers 106, 108 (Carl Heymanns Verlag 2018).</ref> Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analyses. | ||
The classification as genetic data is becoming relevant in terms of [[Article 9 GDPR|Article 9(1) GDPR]], that only allows its processing under strict requirements.<ref>Additionally, member states may maintain or introduce further conditions and limitations for the processing of genetic data, [[Article 9 GDPR|Article 9(4) GDPR]].</ref> This is due to the sensitive character of such data, that allows a unique identification of the data subject and at the same time reveals personal health data<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017).</ref> on them and biological relatives.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017); ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 182 (Nomos 2018).</ref> Especially in terms of heritage diseases, genetic data therefore carries a high risk of abuse in terms of employment and insurances.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 96 (C.H. Beck 2018).</ref> | The classification as genetic data is becoming relevant in terms of [[Article 9 GDPR|Article 9(1) GDPR]], that only allows its processing under strict requirements.<ref>Additionally, member states may maintain or introduce further conditions and limitations for the processing of genetic data, [[Article 9 GDPR|Article 9(4) GDPR]].</ref> This is due to the sensitive character of such data, that allows a unique identification of the data subject and at the same time reveals personal health data<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017).</ref> on them and biological relatives.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017); ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 182 (Nomos 2018).</ref> Especially in terms of heritage diseases, genetic data therefore carries a high risk of abuse in terms of employment and insurances.<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 96 (C.H. Beck 2018).</ref> | ||
Line 574: | Line 572: | ||
‘Biometric data’ means data referring to the physical, physiological and behavioural characteristics of a natural person obtained from specific technical processing allowing for an unique identification. While this generally includes any means to analyse and measure the characteristics of humans<ref>Usually through the creation of referential patterns that are than compared with the data subject later for unique identification, see ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 183 (Nomos 2018).</ref> the technical processing and unique identification requirements place higher burdens. | ‘Biometric data’ means data referring to the physical, physiological and behavioural characteristics of a natural person obtained from specific technical processing allowing for an unique identification. While this generally includes any means to analyse and measure the characteristics of humans<ref>Usually through the creation of referential patterns that are than compared with the data subject later for unique identification, see ''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 183 (Nomos 2018).</ref> the technical processing and unique identification requirements place higher burdens. | ||
The definition itself gives facial images and fingerprints | The definition itself gives facial images and fingerprints<ref>Also called 'Dactyloscopic data'.</ref> as examples for biometric data. However, the requirement for specific technical processing, ensures that simple pictures or even passport photographs shall not be considered as such.<ref>Recital 51 GDPR, “''The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person''”.</ref> It is the further processing through the application of facial recognition software, that qualifies the extracted information as biometric data. In this regard, also IRIS Scanners, DNS-Comparisons, voice or gait pattern analyses,<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> as well as typing patterns or even handwritten signatures<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 111 (Carl Heymanns Verlag 2018).</ref> may be considered as biometric data. | ||
Other data, that does not allow an unique identification, such as the body size or blood type, | Other data, that does not allow an unique identification, such as the body size or blood type, may not be considered biometric data.<ref>''Kampert'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).</ref> However, these could then fall under the definition of ‘health data’ that offers similar protection like for biometric data, according to [[Article 9 GDPR|Article 9(1) GDPR]]. | ||
'''<u>Relevant Recitals</u>''' | '''<u>Relevant Recitals</u>''' | ||
Line 584: | Line 582: | ||
‘Data concerning health’, or simply ‘health data’, means any data related to the physical or mental health of a natural person, especially the procurement of health care services revealing such information. According to Recital 35 GDPR, these include all data referring to the health status of the data subject from the past, current or future. In this regard, any information on diseases, risks, disabilities, their treatment and medical histories of a particular natural person explicitly qualify as health data.<ref>Recital 35 sentence 2 GDPR.</ref> | ‘Data concerning health’, or simply ‘health data’, means any data related to the physical or mental health of a natural person, especially the procurement of health care services revealing such information. According to Recital 35 GDPR, these include all data referring to the health status of the data subject from the past, current or future. In this regard, any information on diseases, risks, disabilities, their treatment and medical histories of a particular natural person explicitly qualify as health data.<ref>Recital 35 sentence 2 GDPR.</ref> | ||
Examples for health data are information about: | |||
*Addictions to alcohol, drugs or medications as well as the participation in self-help groups<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref> | *Addictions to alcohol, drugs or medications as well as the participation in self-help groups<ref>''Ernst'', in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and ''Sydow'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).</ref> | ||
Line 600: | Line 598: | ||
If a controller or a processor have establishments in more than one member states, identifying its ‘main establishment’ is the first step to recognize the lead supervisory authority in a cross-border procedure. | If a controller or a processor have establishments in more than one member states, identifying its ‘main establishment’ is the first step to recognize the lead supervisory authority in a cross-border procedure. | ||
It is the role of a data protection authorities to properly define the main establishment of an entity according to objective criteria and subsequently determine the corresponding lead authority.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> The burden of proof falls on controllers and processors to demonstrate to the relevant supervisory authorities where the relevant processing decisions are taken and implemented. In this regard, however, the | It is the role of a data protection authorities to properly define the main establishment of an entity according to objective criteria and subsequently determine the corresponding lead authority.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> The burden of proof falls on controllers and processors to demonstrate to the relevant supervisory authorities where the relevant processing decisions are taken and implemented. In this regard, however, the Working Party 29 stressed that the GDPR does not permit ‘forum shopping’ and conclusions cannot be based solely on statements by the organisation under review: The supervisory authorities can rebut the controller’s analysis based on an objective examination of the relevant facts, requesting further information where required.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> | ||
'''Main Establishment of a Controller''' | '''Main Establishment of a Controller''' | ||
Line 606: | Line 604: | ||
As a general rule, the main establishment of a controller should be the place of its central administration in the Union, or in other words, “''the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented''”.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 5 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> | As a general rule, the main establishment of a controller should be the place of its central administration in the Union, or in other words, “''the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented''”.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 5 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> | ||
Recital 22 GDPR defines an establishment as | Recital 22 GDPR defines an establishment as "''the effective and real exercise of activity through stable arrangements''". The legal form of such arrangements is irrelevant. According to the CJEU, an establishment depends on “''both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned.''”<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 29 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref> In this regard, already the presence of a single representative can constitute a stable arrangement when acting with a sufficient degree of stability and the necessary equipment to provide the specific services in the member states concerned.<ref>CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 30 (available [https://curia.europa.eu/juris/liste.jsf?num=C-230/14 here]).</ref> | ||
If a controller’s main establishment is not the place of its central administration in the EU, it is necessary to determine the establishment based on where the effective and real exercise of main decisions on the purposes and means of processing take place.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 6 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> It should depend neither on the place of the processing nor the use of technical means and technologies for processing personal data or processing activities. Instead, to determine the controller’s main establishment the | If a controller’s main establishment is not the place of its central administration in the EU, it is necessary to determine the establishment based on where the effective and real exercise of main decisions on the purposes and means of processing take place.<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 6 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> It should depend neither on the place of the processing nor the use of technical means and technologies for processing personal data or processing activities. Instead, to determine the controller’s main establishment the Working Party 29 developed several guiding questions:<ref>WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available [https://ec.europa.eu/newsroom/article29/items/611235/en here]).</ref> | ||
* Where are decisions about the purposes and means of the finally signed off’? | * Where are decisions about the purposes and means of the finally signed off’? | ||
Line 624: | Line 622: | ||
However, when there is no central administration in the Union, the rules applying to processors are formulated differently. In such cases, the main establishment of a processor is where the main processing activities take place in a Union’s establishment subject to the obligations under GDPR. This implies that the processing of personal data does not need to be carried out by the relevant establishment itself but only in in the context of its activities within the scope of the GDPR.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 235 (Oxford University Press 2020).</ref> The meaning of ‘the context of activities’ has already been specified by the CJEU, building on a broad definition of ‘establishment’ and clarifying that already the intention of a member state’s establishment to provide advertisement space for a third country undertaking is processing of personal data in the context of the Union’s establishment.<ref>CJEU, C-131/12, Google Spain, 13 May 2014, margin number 55 (available [https://curia.europa.eu/juris/liste.jsf?num=c-131/12 here]).</ref> | However, when there is no central administration in the Union, the rules applying to processors are formulated differently. In such cases, the main establishment of a processor is where the main processing activities take place in a Union’s establishment subject to the obligations under GDPR. This implies that the processing of personal data does not need to be carried out by the relevant establishment itself but only in in the context of its activities within the scope of the GDPR.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 235 (Oxford University Press 2020).</ref> The meaning of ‘the context of activities’ has already been specified by the CJEU, building on a broad definition of ‘establishment’ and clarifying that already the intention of a member state’s establishment to provide advertisement space for a third country undertaking is processing of personal data in the context of the Union’s establishment.<ref>CJEU, C-131/12, Google Spain, 13 May 2014, margin number 55 (available [https://curia.europa.eu/juris/liste.jsf?num=c-131/12 here]).</ref> | ||
Following up on the CJEU judgement, the | Following up on the CJEU judgement, the Working Party 29 specified that EU law may apply to data processing activities of controllers or processors established outside the EU “''even if the local establishment is not actually taking any role in the data processing itself''”.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref> This reasoning can be based on an “''inextricable link''” between activities of an establishment in the EU and data processing by a non-EU controller or processor.<ref>WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available [https://ec.europa.eu/newsroom/article29/items/640614/en here]).</ref> | ||
'''Cases Involving Both the Controller and the Processor''' | '''Cases Involving Both the Controller and the Processor''' | ||
Recital 36 GDPR explains that “''in cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment''”. For further information determining the lead and concerned supervisory authorities in cross border contexts see the commentary on [[Article 56 GDPR]] and Article 4(22)-(23) GDPR. | Recital 36 GDPR explains that “''in cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment''”. For further information determining the lead and concerned supervisory authorities in cross border contexts involving both the controller and the processor see the commentary on [[Article 56 GDPR]] and Article 4(22)-(23) GDPR. | ||
'''<u>Relevant Recitals</u>''' | '''<u>Relevant Recitals</u>''' | ||
Line 635: | Line 633: | ||
===(17) Representative=== | ===(17) Representative=== | ||
Representative are any legal or natural persons established in the union designated by a controller or processor, in accordance with [[Article 27 GDPR]]. They are not to be confused with the executive organ of the controller, but they serve as contact persons for data subjects and DPAs towards controllers and processors that are only outside the Union. | Representative are any legal or natural persons established in the union designated by a controller or processor, in accordance with [[Article 27 GDPR]]. They are not to be confused with the executive organ of the controller, but they serve as contact persons for data subjects and DPAs towards controllers and processors that are only located outside the Union. | ||
In this regard, the notion of a representative becomes relevant in terms actors that are falling within the territorial scope of the GDPR without having any establishment within the union (see [[Article 3 GDPR|Article 3(2) GDPR]] and Recital 80 GDPR).<ref>According to which the GDPR applies to controllers outside the union processing personal data on subjects within the union ''“related to the offering of goods or services“'' or ''“the monitoring of their behaviour”''.</ref> In such cases, the representative becomes the addressee of enforcement proceedings in the event of non-compliance of the respective controller or processor.<ref>Recital 80 sentence 6 GDPR.</ref> This way, the representative prevents such actors only established in a third country | In this regard, the notion of a representative becomes relevant in terms of actors that are falling within the territorial scope of the GDPR without having any establishment within the union (see [[Article 3 GDPR|Article 3(2) GDPR]] and Recital 80 GDPR).<ref>According to which the GDPR applies to controllers outside the union processing personal data on subjects within the union ''“related to the offering of goods or services“'' or ''“the monitoring of their behaviour”''.</ref> In such cases, the representative becomes the addressee of enforcement proceedings in the event of non-compliance of the respective controller or processor.<ref>Recital 80 sentence 6 GDPR.</ref> This way, the representative prevents such actors only established in a third country to become “infeasible” for data subjects and DPA’s within the union. Examples for representatives may therefore be designated employees, lawyers or whole firms established within the union.<ref>''Gola'', in Gola, DS-GVO, Article 4 GDPR, margin number 106 (C.H. Beck 2018).</ref> | ||
The designation shall happen in a written form, containing the a mandate to represent the controller or processor under the obligations from the GDPR.<ref>Recital 80 sentences 3, 4 GDPR.</ref> At the same time. the designation of a representative does not exclude the responsibility or liability of the controller or processor themselves.<ref>Recital 80 sentence 5 GDPR.</ref> However, it remains unclear how entities not providing a representative may be tackled by the GDPR.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 204 (Nomos 2018).</ref> | The designation shall happen in a written form, containing the a mandate to represent the controller or processor under the obligations from the GDPR.<ref>Recital 80 sentences 3, 4 GDPR.</ref> At the same time. the designation of a representative does not exclude the responsibility or liability of the controller or processor themselves.<ref>Recital 80 sentence 5 GDPR.</ref> However, it remains unclear how entities not providing a representative may be tackled by the GDPR.<ref>''Ziebarth'', in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 204 (Nomos 2018).</ref> This goes especially for public authorities that are excluded from the designation of a representative.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 52 (C.H. Beck 2017).</ref> | ||
'''<u>Relevant Recitals</u>''' | '''<u>Relevant Recitals</u>''' | ||
Line 647: | Line 645: | ||
An enterprise’ means any natural or legal person, partnerships or associations regularly engaged in economic activities. With this definition, the GDPR introduced a broad concept of the enterprise, irrespective of their size, legal form or interests pursued.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 127 (Carl Heymanns Verlag 2018).</ref> | An enterprise’ means any natural or legal person, partnerships or associations regularly engaged in economic activities. With this definition, the GDPR introduced a broad concept of the enterprise, irrespective of their size, legal form or interests pursued.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 127 (Carl Heymanns Verlag 2018).</ref> | ||
An enterprise requires a regular engagement in economic activities, which means activities intended for a long-term and not only in an occasional manner.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 129 (Carl Heymanns Verlag 2018).</ref> Excluded from such activities are completely familiarly or personal activities | An enterprise requires a regular engagement in economic activities, which means activities intended for a long-term and not only in an occasional manner.<ref>''Eßer'', in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 129 (Carl Heymanns Verlag 2018).</ref> Excluded from such activities are completely familiarly or personal activities as part of the household exception, see the commentary on [[Article 2 GDPR|Article 2(c) GDPR]]. | ||
While the English version of the GDPR distinguishes between the ‘enterprise’ and ‘undertaking’ the translation to other languages merged | While the English version of the GDPR distinguishes between the ‘enterprise’ and ‘undertaking’ the translation to other languages merged both into a single notion.<ref>For example, in German ("Unternehmen"), in French ("entreprise") and in Spanish ("empresa").]</ref> This can cause controversy around the assessment of fines according to [[Article 83 GDPR]], which by English language refers to the term of undertaking in accordance with [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:12012E/TXT&from=EN#page=42 Articles 101, 102 TFEU] and thereby not to the definition of Article 4(18) GDPR.<ref>See Recital 150 sentence 3 GDPR.</ref> In any case, however, the notion is to be understood broadly when enforcing actions or determining fines on a particular entity, see the commentary on [[Article 83 GDPR]]. | ||
'''<u>Relevant Recitals</u>''' | '''<u>Relevant Recitals</u>''' | ||
Line 655: | Line 653: | ||
===(19) Group of Undertakings === | ===(19) Group of Undertakings === | ||
A group of undertakings consists of a leading (“controlling”) entity and one or more thereof dependent (“controlled”) entities.<ref>Recital 37 sentence 1 GDPR.</ref> The central characteristic for a group of undertakings is therefore, that one entity exerts a dominant influence over the others, for example | A group of undertakings consists of a leading (“controlling”) entity and one or more thereof dependent (“controlled”) entities.<ref>Recital 37 sentence 1 GDPR.</ref> The central characteristic for a group of undertakings is therefore, that one entity exerts a dominant influence over the others, for example through ownership or financial participation.<ref>Recital 37 sentence 1 GDPR.</ref> This is usually the case between a holding company and their subsidiaries.<ref>''Klabunde'', in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 58 (C.H. Beck 2017).</ref> | ||
In this regard, the mere possibility of exercising control over the the other entity is sufficient, a real exercise of such control is not necessary.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 76 (ottoschmidt 2018).</ref> As long as one entity has the factual power to assert its will over the other entities,<ref>For example through to have personal data protection rules implemented; see Recital 37 sentence 1 GDPR.</ref> they qualify as group of undertakings.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 78 (ottoschmidt 2018).</ref> | In this regard, the mere possibility of exercising control over the the other entity is sufficient, a real exercise of such control is not necessary.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 76 (ottoschmidt 2018).</ref> As long as one entity has the factual power to assert its will over the other entities,<ref>For example through to have personal data protection rules implemented; see Recital 37 sentence 1 GDPR.</ref> they qualify as group of undertakings.<ref>''Schreiber'', in Plath, DSGVO BDSG, Article 4 GDPR, margin number 78 (ottoschmidt 2018).</ref> | ||
Line 665: | Line 663: | ||
* The joint designation of a Data Protection Officer ([[Article 37 GDPR|Article 37(2) GDPR]]), | * The joint designation of a Data Protection Officer ([[Article 37 GDPR|Article 37(2) GDPR]]), | ||
* The formulation of binding corporate rules (Article 4(20) GDPR, [[Article 47 GDPR]]), | * The formulation of binding corporate rules (Article 4(20) GDPR, [[Article 47 GDPR]]), | ||
* The data transfer for internal administrative purposes ( | * The data transfer for internal administrative purposes ([[Article 6 GDPR|Article 6(1)(f) GDPR]]) with Recital 48 GDPR)<ref>''Pötters/Böhm'', in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 70 (Deutscher Fachverlag 2018), as “''group privilege light''”.</ref> | ||
* The determination of the main establishment (Article 4(16) GDPR, Recital 22 GDPR). | * The determination of the main establishment (Article 4(16) GDPR, Recital 22 GDPR). | ||
However, the notion is to be distinguished from a ‘group of enterprises engaged in a joint economic activity’ also used throughout several provisions across the GDPR. These consist | However, the notion is to be distinguished from a ‘group of enterprises engaged in a joint economic activity’ also used throughout several provisions across the GDPR. These consist of separate and independent entities, which do not exercise control over each other<ref>''Feiler, Forgó,'' EU-DSGVO, Article 4 GDPR, margin number 49 (Verlag Österreich 2017).</ref> and therefore cannot designate a single Data Protection Officer or rely on internal administrative data transfers. | ||
'''<u>Relevant Recitals</u>''' | '''<u>Relevant Recitals</u>''' | ||
Line 675: | Line 673: | ||
===(20) Binding Corporate Rules === | ===(20) Binding Corporate Rules === | ||
Binding corporate rules (short ‘BCR’) are ‘personal data protection policies’ formulated by controllers or | Binding corporate rules (short ‘BCR’) are ‘personal data protection policies’ formulated by controllers or processors established on the union for transfers of personal data outside the union within their group. In this regard, binding corporate rules constitute a legal basis to transfer personal data to third countries without an adequacy decision.<ref>See [[Article 46 GDPR|Article 46(2)(b) GDPR]].</ref> However, they only serve for for intra-corporate transfers, i.e. between entities of the concerned group of undertakings or enterprises. Transfers to entities outside of these groups are not covered by binding corporate rules. | ||
Furthermore, there are additional requirements regarding the content of such rules. According to Recital 110 GDPR, BCR must include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data. The rules are therefore to be previously approved by the national DPA concerned.<ref>[[Article 47 GDPR|Article 47(1) GDPR]].</ref> Furthermore, the Commission may specify the format and procedures for the exchange of information for these rules.<ref>[[Article 47 GDPR|Article 47(3) GDPR]].</ref> For more information on the requirements and the approval procedure of binding corporate rules, see the commentary on [[Article 47 GDPR]]. | |||
'''<u>Relevant Recitals</u>''' | '''<u>Relevant Recitals</u>''' | ||
Line 687: | Line 685: | ||
Member states can decide to provide only one or multiple DPAs, to reflect their constitutional, organisational and administrative structure.<ref>Recital 117 GDPR.</ref> In this regard, DPAs must be public authorities<ref>Private actors cannot serve as DPAs, see ''Polenz'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 21 GDPR, margin number 1 (NOMOS 2019).</ref> established on the national level.<ref>The European Data Protection Supervisor (EDPS) is therefore not a DPA in terms of the GDPR, see [https://gdprhub.eu/Article%2051%20GDPR Article 51(1) GDPR] and [https://gdprhub.eu/Article%2068%20GDPR Article 68(3) GDPR] “''The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor''”. It is adhering to its own [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018R1725&from=en Regulation (EU) 2018/1725], functionally overseeing and advising the European Institutions for their compliance with data protection rules.</ref> And while each supervisory authority should be competent on the territory of its own member state,<ref>Recital 112 sentence 1 GDPR.</ref> they shall cooperate, mutually assisting each other and conduct joint operations with to foster a consistent application of the GDPR in cross border contexts (see [[Article 60 GDPR|Articles 60-63 GDPR]] and Recital 123 GDPR). | Member states can decide to provide only one or multiple DPAs, to reflect their constitutional, organisational and administrative structure.<ref>Recital 117 GDPR.</ref> In this regard, DPAs must be public authorities<ref>Private actors cannot serve as DPAs, see ''Polenz'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 21 GDPR, margin number 1 (NOMOS 2019).</ref> established on the national level.<ref>The European Data Protection Supervisor (EDPS) is therefore not a DPA in terms of the GDPR, see [https://gdprhub.eu/Article%2051%20GDPR Article 51(1) GDPR] and [https://gdprhub.eu/Article%2068%20GDPR Article 68(3) GDPR] “''The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor''”. It is adhering to its own [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018R1725&from=en Regulation (EU) 2018/1725], functionally overseeing and advising the European Institutions for their compliance with data protection rules.</ref> And while each supervisory authority should be competent on the territory of its own member state,<ref>Recital 112 sentence 1 GDPR.</ref> they shall cooperate, mutually assisting each other and conduct joint operations with to foster a consistent application of the GDPR in cross border contexts (see [[Article 60 GDPR|Articles 60-63 GDPR]] and Recital 123 GDPR). | ||
In this regard, DPAs may act independent (see [[Article 52 GDPR]]) and shall be provided with several competencies ([[Article 55 GDPR|Articles 55, 56 GDPR]]), Tasks ([[Article 57 GDPR]]) and Powers ([[Article 58 GDPR]]). For further information, see the particular commentary | In this regard, DPAs may act independent (see [[Article 52 GDPR]]) and shall be provided with several competencies ([[Article 55 GDPR|Articles 55, 56 GDPR]]), Tasks ([[Article 57 GDPR]]) and Powers ([[Article 58 GDPR]]). For further information, see the particular commentary on these articles. | ||
'''<u>Relevant Recitals</u>''' | '''<u>Relevant Recitals</u>''' | ||
Line 710: | Line 708: | ||
'''Filing a Complaint with the Supervisory Authority''' | '''Filing a Complaint with the Supervisory Authority''' | ||
Filing a complaint with a particular supervisory authority | Filing a complaint with a particular supervisory authority makes them ‘concerned’ authority. Since complaints can also be filed with DPAs different from where the data subject resides,<ref>See Recital 124 sentence 3 GDPR.</ref> the supervisory authority can possibly be concerned without the data subject having a residence within the EU or any (likely) substantial affection. For further information on filing a complaint with a supervisory authority, see the commentary on [[Article 77 GDPR]]. | ||
'''<u>Relevant Recitals</u>''' | '''<u>Relevant Recitals</u>''' | ||
Line 716: | Line 714: | ||
===(23) Cross-Border Processing=== | ===(23) Cross-Border Processing=== | ||
Cross border processing means any processing taking place in the | Cross border processing means any processing taking place (i) in the in the context of the activities of establishments of a controller or processor in multiple member states, or (ii) in the context of a single establishment of a controller or processor in the union with (likely) substantially affects to data subjects in more than one member state. | ||
( | |||
Both conditions are therefore attached to the notion of ‘establishment’, whereas ( | Both conditions are therefore attached to the notion of ‘establishment’, whereas (i) requires the controller or processor to have multiple establishments within different member states of the union, while (ii) only requires the controller or processor to have an establishment within a single member state of the union.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 282 (Oxford University Press 2020).</ref> In both cases, however, the controller or processor needs to be established in at least one member state.<ref>''Polenz'', in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 23 GDPR, margin number 1 (NOMOS 2019).</ref> | ||
'''Processing in the Context of Establishments within Multiple Member States''' | '''Processing in the Context of Establishments within Multiple Member States''' | ||
Line 741: | Line 735: | ||
The ‘relevant and reasoned objection’ refers to situations, in which a supervisory authority concerned<ref>See Article 4(22) GDPR.</ref> objects to a decision draft provided by a lead supervisory authority<ref>See [[Article 56 GDPR]].</ref> in terms of a cross-border-processing context.<ref>See Article 4(23) GDPR.</ref> When such objection is exercised by the supervisory authorities concerned, the lead supervisory authority can either follow the objection or submit the matter to the EDPB (see [[Article 60 GDPR|Article 60(4) GDPR]], [[Article 65 GDPR|Article 65(4) GDPR]]). | The ‘relevant and reasoned objection’ refers to situations, in which a supervisory authority concerned<ref>See Article 4(22) GDPR.</ref> objects to a decision draft provided by a lead supervisory authority<ref>See [[Article 56 GDPR]].</ref> in terms of a cross-border-processing context.<ref>See Article 4(23) GDPR.</ref> When such objection is exercised by the supervisory authorities concerned, the lead supervisory authority can either follow the objection or submit the matter to the EDPB (see [[Article 60 GDPR|Article 60(4) GDPR]], [[Article 65 GDPR|Article 65(4) GDPR]]). | ||
In order to not overload the EDPB with submissions | In order to not overload the EDPB with insufficiently grounded submissions causing delays for decisions,<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 289 f. (Oxford University Press 2020).</ref> Article 4(24) GDPR introduces a threshold to such objections being ‘relevant’ and ‘reasoned’. In this regard, they have to show an infringement or compliance of the GDPR in opposition to the lead authorities decision draft clearly demonstrating the significance of the risks posed by the draft decision.<ref>Especially regarding the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union, see Article 4(24) GDPR.</ref> | ||
An objection is therefore only relevant and reasoned, when it refers to the concrete draft of a decision and does not only contain concerns of general nature.<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 4 24 GDPR, margin number 1 (C.H. Beck 2020).</ref> This requires to provide the exact legal reasons for the objection,<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 4 24 GDPR, margin number 1 (C.H. Beck 2020).</ref> clearly stating the the non-negligible risks for the data subjects or the free flow of personal data entailed.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 290 (Oxford University Press 2020).</ref> | An objection is therefore only relevant and reasoned, when it refers to the concrete draft of a decision and does not only contain concerns of general nature.<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 4 24 GDPR, margin number 1 (C.H. Beck 2020).</ref> This requires to provide the exact legal reasons for the objection,<ref>''Dix'', in Kühling, Buchner, DS-GVO BDSG, Article 4 24 GDPR, margin number 1 (C.H. Beck 2020).</ref> clearly stating the the non-negligible risks for the data subjects or the free flow of personal data entailed.<ref>''Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 290 (Oxford University Press 2020).</ref> | ||
Line 775: | Line 769: | ||
An ‘international organisation’ means any organisation or subordinate bodies of such, which are governed either by public international law or set up by an agreement between two or more countries. | An ‘international organisation’ means any organisation or subordinate bodies of such, which are governed either by public international law or set up by an agreement between two or more countries. | ||
While there is no universally accepted or further specified definition of the term coming from the GDPR, the overall definition from the Vienna Convention on the Law of Treaties from 1969<ref>Available [https://legal.un.org/ilc/texts/instruments/english/conventions/1_1_1969.pdf here].</ref> serves as a source of inspiration for interpreting EU law according to the CJEU.<ref>CJEU, C-386/08, Brita, 25 February 2010, margin number 42 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=72406&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=2557504 here]); see also ''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 305 (Oxford University Press 2020).</ref> However, Article 2(1)(i) of the [https://legal.un.org/ilc/texts/instruments/english/conventions/1_1_1969.pdf Convention] defines international organisation as ‘intergovernmental organization’, thereby failing to deliver a more specific definition. Moreover, since | While there is no universally accepted or further specified definition of the term coming from the GDPR, the overall definition from the Vienna Convention on the Law of Treaties from 1969<ref>Available [https://legal.un.org/ilc/texts/instruments/english/conventions/1_1_1969.pdf here].</ref> serves as a source of inspiration for interpreting EU law according to the CJEU.<ref>CJEU, C-386/08, Brita, 25 February 2010, margin number 42 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=72406&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=2557504 here]); see also ''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 305 (Oxford University Press 2020).</ref> However, Article 2(1)(i) of the [https://legal.un.org/ilc/texts/instruments/english/conventions/1_1_1969.pdf Convention] defines international organisation as ‘intergovernmental organization’, thereby failing to deliver a more specific definition. Moreover, since both options to reach an international organization, either through public international law or multilateral agreements, are not further delineated by the GDPR, a broad and flexible approach to the term is suggested.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 305 (Oxford University Press 2020).</ref> | ||
In this regard, most organizations, such as the United Nations (UN), the International Telecommunications Union (ITU), the World Trade Organization (WTO as well as Inter- and Europol fall under the term.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p.306 (Oxford University Press 2020).</ref> However, these examples are not exhaustive and can be infinitely extended. Only NGO’s, which are usually non-governmental organisations established as private initiatives and governed by domestic member state law, may not qualify as such.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 307 (Oxford University Press 2020).</ref> | In this regard, most organizations, such as the United Nations (UN), the International Telecommunications Union (ITU), the World Trade Organization (WTO as well as Inter- and Europol shall fall under the term.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p.306 (Oxford University Press 2020).</ref> However, these examples are not exhaustive and can be infinitely extended to other Internationals Organizations. Only NGO’s, which are usually non-governmental organisations established as private initiatives and governed by domestic member state law, may not qualify as such.<ref>''Bygrave/Tosoni'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 307 (Oxford University Press 2020).</ref> | ||
The classification as international organization is relevant in terms of the additional rules placed on data transfers, according to [[Article 44 GDPR|Articles 44-50 GDPR]]. While the Data Protection Directive only regulated data flows to third party countries, the GDPR now extends the applicability of these rules to international organizations as as well.<ref>See ''Schröder'', in Kühling, Buchner, DS-GVO BDSG, Article 4 26 GDPR, margin number 2 (C.H. Beck 2020).</ref> For more information on the principles and additional safeguards placed on such transfers | The classification as international organization is relevant in terms of the additional rules placed on data transfers, according to [[Article 44 GDPR|Articles 44-50 GDPR]]. While the Data Protection Directive only regulated data flows to third party countries, the GDPR now extends the applicability of these rules to international organizations as as well.<ref>See ''Schröder'', in Kühling, Buchner, DS-GVO BDSG, Article 4 26 GDPR, margin number 2 (C.H. Beck 2020).</ref> For more information on the principles and additional safeguards placed on such transfers see the commentary on [[Article 45 GDPR|Articles 45-49 GDPR]]. | ||
===Further Definitions=== | ===Further Definitions=== | ||
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The regulation contains | Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The regulation contains further articles that directly or indirectly deliver definitions in its context, such as: | ||
*[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’, | *[[Article 5 GDPR|Article 5(1)(a) GDPR]]: ‘lawfulness, fairness and transparency’, | ||
*[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’, | *[[Article 5 GDPR|Article 5(1)(b) GDPR]]: ‘purpose limitation’, |
Revision as of 09:51, 26 September 2021
Legal Text
For the purposes of this Regulation:
1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3. ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
4. ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
5. ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
6. ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
7. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
8. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
9. ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
10. ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
11. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
12. ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
13. ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
14. ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
15. ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
16. ‘main establishment’ means:
- (a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;
- (b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;
17. ‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;
18. ‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
19. ‘group of undertakings’ means a controlling undertaking and its controlled undertakings;
20. ‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;
21. ‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;
22. ‘supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because:
- (a) the controller or processor is established on the territory of the Member State of that supervisory authority;
- (b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
- (c) a complaint has been lodged with that supervisory authority;
23. ‘cross-border processing’ means either:
- (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
- (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
24. ‘relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;
25. ‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;
26. ‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
Commentary
Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR.
Some definitions are taken from the preceding Directive 95/46/EC, allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation.
In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation other language versions may be consulted to identify and resolve discrepancies.
(1) Personal Data
The principal concept of the GDPR is that of ‘personal data’.[1]
Its definition is an extension of the previously existing definition under Article 2 (a) Directive 95/46/EC.[2] The Directive itself derives the definition from Article 2 (a) Convention 108,[3] according to which “personal data” means any information relating to an identified or identifiable individual.
The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.
Any Information
With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.
In this regard, the German Constitutional Court already in 1983 stated that "Under the conditions of automatic data processing, there is no longer meaningless data."[4] This position is supported by the Commission, stating that "any item of data relating to an individual, harmless though it may seem, may be sensitive",[5] thereby also following the wish of the Council to keep the definition as general as possible.[6] Already the European Court of Human Rights stated that:
- “private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”[7]
Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.[8] The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.[9] It is thereby not necessary for the information to be true, proven or complete.[10]
With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,[11] telebanking,[12] medical prescriptions[13] or even child's drawings.[14]
Relating To
The information needs to relate to an individual. In accordance with the WP29[15] the CJEU assesses this requirement based on three different criteria, i.e. “where the information, by reason of its content, purpose or effect, is linked to a particular person.”[16]
The content of the information is 'relating to' a person when it is about a particular individual.[17] On the contrary, information relating to a bigger group of person without any possibility to single out a individual is not related to a particular person.[18] Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.[19] However, when information on objects also concerns individuals, it can relate to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.[20] In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.[21] Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.[22]
Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.[23] Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.[24] The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.[25] For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation.[26]
Identified or Identifiable
The person to which the information relates must also be identified or identifiable.
A person is “identified” where it can be distinguished or 'singled out' from a bigger group of persons from the information directly.[27] This is usually achieved through several 'identifiers' listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the Working Party 29 like telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.[28] Note that the name of a person is therefore not necessarily required to identify an individual given such typically more unique identifiers.[29]
A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.[30] In this regard, Recital 26 sentence 3 GDPR states “to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. In this regard, Recital 26 sentence 4 GDPR adds that in order “to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.”
In other words, while not all of the information required to identify the person needs to be in the hands of the controller[31] the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.[32] Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitor.[33]
Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.[34] Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.[35] In this regard, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.
Natural Person
The right to data protection is not restricted to certain nationals or citizens of specific countries[36] but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “Everyone has the right to recognition everywhere as a person before the law”.[37]
Starting from this definition, national legislators usually limit it from to moment of birth to the death of a person.[38] Following up with the GDPR, information relating to deceased persons is then not considered personal data.[39] However, member states may provide alternative rules for the protection of deceased persons[40] which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.[41] For more information, see also the commentary on Article 4(13) GDPR.
As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.[42] However, related provisions from the ePrivacy-Directive,[43] national data protection laws or constitutional laws can grant alternative protection.[44]
Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.[45]
Further Examples of Personal Data Subject to the CJEU
- Name, date of birth, nationality, gender, ethnicity, religion and language[46]
- Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities[47]
- Municipality of residence, information concerning the earned and unearned income and assets of that person[48]
- Data which relate both to the monies paid by certain bodies and the recipients[49]
- Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies[50]
- The times when working hours begin and end, as well as the corresponding breaks and intervals[51]
- Telephone numbers, employment and hobbies[52]
Relevant Recitals
(2) Processing
Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.[57]
The notion of processing is formulated broadly by the GDPR through an enumeration of several operations:
- Collection (targeted procurement of single pieces of data), such as offering online registrations or contact forms[58]
- Recording (continuous procurement of data flows), such as operating surveillance cameras or similar sensors
- Organisation (systematic ordering that enhance access and evaluation of information), such as the allocation of information within databases
- Structuring (ordering data according to certain criteria), e.g. in numerically or alphabetical order[59]
- Storage (saving information to a physical and readable format), such as on information on paper, files, disks, drives or cloud servers[60]
- Adaptation (adjustments to the content of information according to specific criteria), e.g. updating to information on age, address or income[61]
- Alteration (changes to the form or content of data), such as corrections, pseudonymisation or anonymization[62]
- Retrieval (accessing stored information), for example loading information to be displayed on a device[63]
- Consultation (accessing stored information through targeted searches), such as using search routines to find and display data[64]
- Use (catching term for all active operations conducted on personal data), e.g. using addresses to deliver orders or mails[65]
- Disclosure by transmission (“pushing” information to recipients or other third parties), such as sharing customer information with another company
- Disclosure by dissemination (untargeted distribution of information to unlimited recipients), e.g. in newspapers, radio or tv broadcasting[66]
- Disclosure by otherwise making available (generally any other form of disclosure), such as providing information on websites or search engines[67]
- Alignment (comparison of information with other, specific requirements), such as grid investigations or ‘dragnet’ actions
- Combination (merging information), such as profiling (see also Article 4(4) GDPR)[68]
- Restriction (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation of information on a website[69]
- Erasure (irreversible rendering of information impossible to access), such as overwriting data multiple times[70]
- Destruction (physically destroying the data carrier), such as shredding of files[71]
Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.[72]
Relevant Recitals
(3) Restriction of Processing
The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.[73] Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.[74]
Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.[75] In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.[76] In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.[77]
Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.[78] In case, the data subject needs to be informed about the restriction of processing of their personal data according to Article 18(3) GDPR.
The restriction of processing can also be initiated by request of a data subject under the requirements of Article 18(1) GDPR or a data protection authority according to Article 58(2)(g) GDPR. For more information see the commentary on these provisions.
Relevant Recitals
(4) Profiling
With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.[79] These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.[80]
Profiling does not require knowledge on the civil identity of the data subject.[81] It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.[82] as well as information automatically collected from smart devices, wearables or cars.[83]
The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore
- Maintaining customer profiles for more efficient marketing[84]
- Operating systems for credit rating/scoring[85]
- Operating e-Recruitment Systems[86]
Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR such as its territorial application, see Article 3(2)(b) GDPR, Recital 24 GDPR, or automated decision making, Article 22 GDPR. In any case, the data subject has to be informed on the existence of profiling by the controller.[87]
Relevant Recitals
The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention. Such processing includes ‘profiling’ that consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her. However, decision-making based on such processing, including profiling, should be allowed where expressly authorised by Union or Member State law to which the controller is subject, including for fraud and tax-evasion monitoring and prevention purposes conducted in accordance with the regulations, standards and recommendations of Union institutions or national oversight bodies and to ensure the security and reliability of a service provided by the controller, or necessary for the entering or performance of a contract between the data subject and a controller, or when the data subject has given his or her explicit consent. In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision. Such measure should not concern a child.
In order to ensure fair and transparent processing in respect of the data subject, taking into account the specific circumstances and context in which the personal data are processed, the controller should use appropriate mathematical or statistical procedures for the profiling, implement technical and organisational measures appropriate to ensure, in particular, that factors which result in inaccuracies in personal data are corrected and the risk of errors is minimised, secure personal data in a manner that takes account of the potential risks involved for the interests and rights of the data subject and that prevents, inter alia, discriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation, or that result in measures having such an effect. Automated decision-making and profiling based on special categories of personal data should be allowed only under specific conditions.(5) Pseudonymisation
Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.
Examples for the pseudonymisation of personal data include:
- Replacement of names through ID’s, codes or aliases[88]
- Encryption or hashing of data[89]
- Pixelation of video materials[90]
Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.[91] Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.[92]
The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.[93] And while some scholars argue for a ‘subjective anonymisation’,[94] the party undertaking the pseudonymisation is typically able to reassign the data subject.[95]
In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.[96] In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.[97]
- Implementing security safeguards (see Article 32(1)(a) GDPR)
- Handling of personal data breaches (see Article 34(3)(a) GDPR)
- Changing purposes of data processing (Article 6(4)(e) GDPR)
- Serving principles of data minimization and security (Article 5(1)(c)(f) GDPR)
- Implementing Data Protection by Design and Default (Article 25 GDPR)
Relevant Recitals
(6) Filing System
The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see Article 2(1) GDPR). It is complementing the approach of technological neutrality followed by the GDPR.
A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.[98] This is already satisfied, when personal data on a particular person is retrievable.[99]
The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.[100]
Examples are:
- Salary lists on employees[101]
- Saved letter-correspondence with customers[102]
- Covid-19-Guest-Lists sorted by date[103]
Relevant Recitals
(7) Controller
The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.[104] In this regard, it the controller is to be distinguished from the processor, which is further explained in Article 4(8) GDPR.
The responsibilities of the controller are defined in Article 24 GDPR. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR.
In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co-controllership’ the entities have to determine their respective responsibilities for the processing within an agreement according to Article 26 GDPR. Important, however, is utlimately the factual influence on the processing of the personal data[105] see Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.[106]
For example, a joint controllership is assumed between
- Search-Engines-Operators and the websites of which information is structured, presented and complemented with advertisements within search results[107]
- Facebook and Administrators of Fan Pages on its social network[108]
- Facebook and Websites that integrated a ‘Like Button’[109]
In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller according to Article 26 GDPR. For further information see the commentary on that provision.
Relevant Recitals
(8) Processor
The processor is the next entity facing obligations from several provisions across the GDPR, complementing the concept of the controller explained in Article 4(7) GDPR. Any natural, legal person, public authority, agency or body that processes personal data on behalf of the controller qualifies as a processor.
The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.[110] Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.[111]
Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29[112] provides some examples as references for controller-processor relationships:
- Outsourcing of Callcenters for Customer Communications[113]
- Outsourcing of Mail Services[114]
- Cloud Hosting and Grid Computing[115]
- A Separated Entity Specialized in Data Processing within a Group of Companies[116]
When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see Article 32 GDPR) as well as the possibility of being fined (see Article 82 GDPR). Of additional relevance is Article 28 GDPR, that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on Article 28(3) GDPR.
A special form of the processor is the ‘sub processor’ engaged by the processor which requires another processing agreement and authorisation through the controller. For further information see the commentary on Article 28(2),(4) GDPR.
Relevant Recitals
(9) Recipient
Another entity defined in the GDPR is the recipient. The notion of the recipient is kept very broadly, i.e. any party which personal data is disclosed to, independently of whether it is a third party or not. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.[117]
The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,[118] the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind is, that the controller whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.[119]
In this regard, it is discussed, whether a processor is also a recipient. One the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.[120] However, the concept of the recipient is completely independent of that of the third-party.[121] With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, Article 28 GDPR does not relieve the controller to inform the data subjects about its processors as recipients according to Article 13 to 15 GDPR.[122]
Not considered as recipient are, on the other hand, particular units within a company, such as the staff council or dependent establishments of the controller.[123] The wording of the provision suggests that the entity requires a particular degree of sovereignty in order to count as recipient.[124] Units that are inseparable part of the internal structure of the controller are therefore not to classify as recipients.
Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.[125] These inquiries, however, must be in the general interest and in accordance with Union or Member State law.[126]
Relevant Recitals
(10) Third Party
The concept of a third party complements the previously defined entities. It constitutes a negative delimitation, as any person different from the data subject, controller, processor or any other person authorized to process personal data by the controller. Its notion becomes mainly relevant in terms of evaluating of interests, such as in Article 6 (1)(f) GDPR.[127]
Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.[128] Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.[129] Similarly, internal staff of the controller is not a third party, unless the employee uses personal data for own purposes outside of the employment context.[130] In this case, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.[131]
Relevant Recitals
(11) Consent
Consent is the first legal basis mentioned in Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data. It can be given either by a written, electronic or an oral statement.[132] Examples are ticking a box or actively choosing technical settings that indicate the data subject’s acceptance of the proposed processing of his or her personal data.[133]
The notion of consent within the GDPR is different from its constitutional equivalent in Article 8(2) ECFR. Consent in the GDPR is neither a waiver of fundamental rights, nor a justification for interferences with fundamental rights.[134] Rather, it should be seen as an exception from the general prohibition of processing of personal data under Article 6(1) GDPR.
To ensure that consent is not only a legal fiction, it requires additional and cumulative criteria, regulated within its definition and complemented through Article 7 GDPR. In order for consent to be valid, it has to be freely given, informed, specific and unambiguous. It is the controller’s duty to demonstrate that the data subject has given such consent to the processing of his or her personal data.[135]
Freely Given
Consent is only freely given, where there is no clear imbalance between the data subject and the controller.[136] Also, it shall not be considered freely given when it is conditional on the processing of personal data that is not necessary for the performance of the service.[137]
Examples where asymmetries of power and bundled consent usually occur are:
- Relationships with public authorities[138]
- Employer-employee-relationships[139]
- Use of major digital services with limited alternatives[140]
Informed
Consent needs to be provided in an intelligible and easily accessible form, using clear and plain language. Data Subjects must be able to understand the circumstances of processing of their personal data to estimate the consequences and implications of giving their consent.[141] According to recent case-law of the Court of Justice, the information shall also be “digested” by the data subject.[142] This seems to give information a more substantive and functional role. Moreover, the information has to be presented in a manner which is clearly distinguishable from other matters, like terms and conditions. For more information, see the commentary on Article 7(2) GDPR.
Specific
In accordance with the principle of transparency from Article 5(1)(b) GDPR consent must be provided for specific and legitimate purposes. While consent to the processing of personal data can be given for one or multiple purposes at the same time,[143] intentions and limitations must be formulated as precisely as possible. A blanket consent to all kinds of purposes is therefore not valid. For more information, see the commentary on Article 6(1)(a) GDPR.
Unambiguous
Consent must be given unambiguously in the form of clear and affirmative action. Silence, pre-ticked boxes or inactivity should not constitute consent.[144] This has been stressed through recent case law by the Court of Justice where a pre-checked checkbox which the user must deselect to refuse his or her consent cannot demonstrate active behaviour.[145] Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.[146]
Withdrawal
Consent can be withdrawn at any time. Withdrawing of consent shall be as easy as it was giving it. The controller has to inform the data subject on the possibility to withdraw consent prior to the processing. For further information, see the commentary on Article 7(3) GDPR.
Capacity
Generally, consent must be given directly by the data subject or a nominated representative.[147] In the case of minors, the ability to consent is based on the individual cognitive faculty of the data subject.[148] In the online context, Article 8(1) GDPR provides a minimum age of 16 while member states may not reduce that age limit to below 13.
Explicit Consent
The more qualified form of ‘explicit’ consent is required within several other provisions across the GDPR. For more information check the commentary on Article 9(2)(a) GDPR, Article 22(2)(c) GDPR and Article 49(1) GDPR.
Relevant Recitals
(12) Personal Data Breach
A ‘personal data breach’ can be considered as any security incident regarding personal data. In this regard, the breach has to concern the processing personal data (for ‘personal data’ see Article 4(1) GDPR, for ‘processing’ Article 4(2) GDPR). Although the transmission and storage of data are explicitly highlighted, any type of processing the concerned data is sufficient.[149]
Moreover, it requires a security breach within that processing. Such are any failures of technical or organizational safeguards implemented by the controller according to Article 32 GDPR. These failures can either be caused through targeted attacks from other parties or through mishandling of personal data through the controller or persons instructed, such as its employees.[150] Some examples for security breaches are:
- Hacking-attacks on systems involving personal data[151]
- Missing access protection to data storages or buildings[152]
- Sending data to unintended recipients[153]
- Employees unlawfully distributing data to third parties[154]
- Accidentally publishing or leaking data on website[155]
- Loss of physical data carriers[156]
- Destruction of data storing infrastructure[157]
- Unrestorable encryption through Ransomware[158]
- Unlocked storage of employee files[159]
As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.[160]
The notion of a personal data breach becomes especially relevant in terms of notification and communication obligations for controllers to data subjects and DPAs according to Articles 33, 34 GDPR. In this regard, the EDPB can issue further guidelines, recommendations and best practices for handling personal data breaches, Article 70(1)(g)(h) GDPR.[161]
(13) Genetic Data
‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions on the growth, metabolism, appearance, diseases or alike, both already existent or entering in the future.[162] Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analyses.
The classification as genetic data is becoming relevant in terms of Article 9(1) GDPR, that only allows its processing under strict requirements.[163] This is due to the sensitive character of such data, that allows a unique identification of the data subject and at the same time reveals personal health data[164] on them and biological relatives.[165] Especially in terms of heritage diseases, genetic data therefore carries a high risk of abuse in terms of employment and insurances.[166]
Relevant Recitals
(14) Biometric Data
‘Biometric data’ means data referring to the physical, physiological and behavioural characteristics of a natural person obtained from specific technical processing allowing for an unique identification. While this generally includes any means to analyse and measure the characteristics of humans[167] the technical processing and unique identification requirements place higher burdens.
The definition itself gives facial images and fingerprints[168] as examples for biometric data. However, the requirement for specific technical processing, ensures that simple pictures or even passport photographs shall not be considered as such.[169] It is the further processing through the application of facial recognition software, that qualifies the extracted information as biometric data. In this regard, also IRIS Scanners, DNS-Comparisons, voice or gait pattern analyses,[170] as well as typing patterns or even handwritten signatures[171] may be considered as biometric data.
Other data, that does not allow an unique identification, such as the body size or blood type, may not be considered biometric data.[172] However, these could then fall under the definition of ‘health data’ that offers similar protection like for biometric data, according to Article 9(1) GDPR.
Relevant Recitals
(15) Data Concerning Health
‘Data concerning health’, or simply ‘health data’, means any data related to the physical or mental health of a natural person, especially the procurement of health care services revealing such information. According to Recital 35 GDPR, these include all data referring to the health status of the data subject from the past, current or future. In this regard, any information on diseases, risks, disabilities, their treatment and medical histories of a particular natural person explicitly qualify as health data.[173]
Examples for health data are information about:
- Addictions to alcohol, drugs or medications as well as the participation in self-help groups[174]
- Hospitalizations, sick notes and sick payments[175]
- Information the physical or mental invalidity to work[176]
- Data from health- or fitness apps on eating or movement patterns, for example from wearables and smartphones[177]
The notion of health data is therefore broader than ‘medicinal data’.[178] Furthermore, it strongly overlaps with the notions of genetic and biometric data.[179] in order to allow a seamless high protection within the scope of Article 9 GDPR.[180] For further information, check the commentary on Article 9 GDPR.
Relevant Recitals
(16) Main Establishment
If a controller or a processor have establishments in more than one member states, identifying its ‘main establishment’ is the first step to recognize the lead supervisory authority in a cross-border procedure.
It is the role of a data protection authorities to properly define the main establishment of an entity according to objective criteria and subsequently determine the corresponding lead authority.[181] The burden of proof falls on controllers and processors to demonstrate to the relevant supervisory authorities where the relevant processing decisions are taken and implemented. In this regard, however, the Working Party 29 stressed that the GDPR does not permit ‘forum shopping’ and conclusions cannot be based solely on statements by the organisation under review: The supervisory authorities can rebut the controller’s analysis based on an objective examination of the relevant facts, requesting further information where required.[182]
Main Establishment of a Controller
As a general rule, the main establishment of a controller should be the place of its central administration in the Union, or in other words, “the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented”.[183]
Recital 22 GDPR defines an establishment as "the effective and real exercise of activity through stable arrangements". The legal form of such arrangements is irrelevant. According to the CJEU, an establishment depends on “both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned.”[184] In this regard, already the presence of a single representative can constitute a stable arrangement when acting with a sufficient degree of stability and the necessary equipment to provide the specific services in the member states concerned.[185]
If a controller’s main establishment is not the place of its central administration in the EU, it is necessary to determine the establishment based on where the effective and real exercise of main decisions on the purposes and means of processing take place.[186] It should depend neither on the place of the processing nor the use of technical means and technologies for processing personal data or processing activities. Instead, to determine the controller’s main establishment the Working Party 29 developed several guiding questions:[187]
- Where are decisions about the purposes and means of the finally signed off’?
- Where are decisions about business activities that involve data processing made?
- Where does the power to have decisions implemented effectively lie?
- Where is the Director with responsibility for cross border processing located?
- Where is the controller or processor registered as a company?
A supervisory authority may require from a controller to present additional information proving that its main establishment fulfils criteria envisaged in the GDPR.[188]
Main Establishment of a Processor
Similarly to the rules for controllers, the main establishment of a processor located in multiple member states shall also be the place of its central administration.
However, when there is no central administration in the Union, the rules applying to processors are formulated differently. In such cases, the main establishment of a processor is where the main processing activities take place in a Union’s establishment subject to the obligations under GDPR. This implies that the processing of personal data does not need to be carried out by the relevant establishment itself but only in in the context of its activities within the scope of the GDPR.[189] The meaning of ‘the context of activities’ has already been specified by the CJEU, building on a broad definition of ‘establishment’ and clarifying that already the intention of a member state’s establishment to provide advertisement space for a third country undertaking is processing of personal data in the context of the Union’s establishment.[190]
Following up on the CJEU judgement, the Working Party 29 specified that EU law may apply to data processing activities of controllers or processors established outside the EU “even if the local establishment is not actually taking any role in the data processing itself”.[191] This reasoning can be based on an “inextricable link” between activities of an establishment in the EU and data processing by a non-EU controller or processor.[192]
Cases Involving Both the Controller and the Processor
Recital 36 GDPR explains that “in cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment”. For further information determining the lead and concerned supervisory authorities in cross border contexts involving both the controller and the processor see the commentary on Article 56 GDPR and Article 4(22)-(23) GDPR.
Relevant Recitals
(17) Representative
Representative are any legal or natural persons established in the union designated by a controller or processor, in accordance with Article 27 GDPR. They are not to be confused with the executive organ of the controller, but they serve as contact persons for data subjects and DPAs towards controllers and processors that are only located outside the Union.
In this regard, the notion of a representative becomes relevant in terms of actors that are falling within the territorial scope of the GDPR without having any establishment within the union (see Article 3(2) GDPR and Recital 80 GDPR).[193] In such cases, the representative becomes the addressee of enforcement proceedings in the event of non-compliance of the respective controller or processor.[194] This way, the representative prevents such actors only established in a third country to become “infeasible” for data subjects and DPA’s within the union. Examples for representatives may therefore be designated employees, lawyers or whole firms established within the union.[195]
The designation shall happen in a written form, containing the a mandate to represent the controller or processor under the obligations from the GDPR.[196] At the same time. the designation of a representative does not exclude the responsibility or liability of the controller or processor themselves.[197] However, it remains unclear how entities not providing a representative may be tackled by the GDPR.[198] This goes especially for public authorities that are excluded from the designation of a representative.[199]
Relevant Recitals
(18) Enterprise
An enterprise’ means any natural or legal person, partnerships or associations regularly engaged in economic activities. With this definition, the GDPR introduced a broad concept of the enterprise, irrespective of their size, legal form or interests pursued.[200]
An enterprise requires a regular engagement in economic activities, which means activities intended for a long-term and not only in an occasional manner.[201] Excluded from such activities are completely familiarly or personal activities as part of the household exception, see the commentary on Article 2(c) GDPR.
While the English version of the GDPR distinguishes between the ‘enterprise’ and ‘undertaking’ the translation to other languages merged both into a single notion.[202] This can cause controversy around the assessment of fines according to Article 83 GDPR, which by English language refers to the term of undertaking in accordance with Articles 101, 102 TFEU and thereby not to the definition of Article 4(18) GDPR.[203] In any case, however, the notion is to be understood broadly when enforcing actions or determining fines on a particular entity, see the commentary on Article 83 GDPR.
Relevant Recitals
(19) Group of Undertakings
A group of undertakings consists of a leading (“controlling”) entity and one or more thereof dependent (“controlled”) entities.[204] The central characteristic for a group of undertakings is therefore, that one entity exerts a dominant influence over the others, for example through ownership or financial participation.[205] This is usually the case between a holding company and their subsidiaries.[206]
In this regard, the mere possibility of exercising control over the the other entity is sufficient, a real exercise of such control is not necessary.[207] As long as one entity has the factual power to assert its will over the other entities,[208] they qualify as group of undertakings.[209]
Already two undertakings are sufficient to form a group.[210] However, a controller giving mere instructions to a processor regarding the processing of personal data does not qualify as a group of undertakings.[211]
The classification as a group of undertakings becomes relevant for several provision across the GDPR, such as
- The joint designation of a Data Protection Officer (Article 37(2) GDPR),
- The formulation of binding corporate rules (Article 4(20) GDPR, Article 47 GDPR),
- The data transfer for internal administrative purposes (Article 6(1)(f) GDPR) with Recital 48 GDPR)[212]
- The determination of the main establishment (Article 4(16) GDPR, Recital 22 GDPR).
However, the notion is to be distinguished from a ‘group of enterprises engaged in a joint economic activity’ also used throughout several provisions across the GDPR. These consist of separate and independent entities, which do not exercise control over each other[213] and therefore cannot designate a single Data Protection Officer or rely on internal administrative data transfers.
Relevant Recitals
(20) Binding Corporate Rules
Binding corporate rules (short ‘BCR’) are ‘personal data protection policies’ formulated by controllers or processors established on the union for transfers of personal data outside the union within their group. In this regard, binding corporate rules constitute a legal basis to transfer personal data to third countries without an adequacy decision.[214] However, they only serve for for intra-corporate transfers, i.e. between entities of the concerned group of undertakings or enterprises. Transfers to entities outside of these groups are not covered by binding corporate rules.
Furthermore, there are additional requirements regarding the content of such rules. According to Recital 110 GDPR, BCR must include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data. The rules are therefore to be previously approved by the national DPA concerned.[215] Furthermore, the Commission may specify the format and procedures for the exchange of information for these rules.[216] For more information on the requirements and the approval procedure of binding corporate rules, see the commentary on Article 47 GDPR.
Relevant Recitals
(21) Supervisory Authority
Supervisory Authorities or ‘Data Protection Authorities’ (DPAs) are independent public authorities responsible for monitoring the application of the GDPR. The idea is, that such authorities protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union.[217]
Member states can decide to provide only one or multiple DPAs, to reflect their constitutional, organisational and administrative structure.[218] In this regard, DPAs must be public authorities[219] established on the national level.[220] And while each supervisory authority should be competent on the territory of its own member state,[221] they shall cooperate, mutually assisting each other and conduct joint operations with to foster a consistent application of the GDPR in cross border contexts (see Articles 60-63 GDPR and Recital 123 GDPR).
In this regard, DPAs may act independent (see Article 52 GDPR) and shall be provided with several competencies (Articles 55, 56 GDPR), Tasks (Article 57 GDPR) and Powers (Article 58 GDPR). For further information, see the particular commentary on these articles.
Relevant Recitals
(22) Supervisory authority concerned
Qualifying a supervisory authority as ‘concerned’ can result out of three situations as laid out by Article 4(22) GDPR:
- For a controller or processor, when it is established in a member state of a supervisory authority,
- for a data subject, when it is residing in the member state of a supervisory authority (likely) substantially affected by the processing of personal data, or
- where a complaint has been lodged with that supervisory authority.
Controller or Processor Establishment
The DPA is concerned when a controller or processor is established in its jurisdiction. This implies any effective and real exercise of activity through stable arrangements,[222] independent of the form of such arrangements of an actual branch or subsidiary within the union.[223] This broad understanding is fostered by the EUCJ, including any real and effective activity exercised through stable agreements independently of their formalistic approach as an establishment.[224]
(Likely) Substantially Affection of the Data Subject
A substantial affection, although not being further specified from the GDPR, indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.[225] On the contrary, already the likelihood of such is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.[226] In any case, this requires the data subject to reside in the member state of the DPA and therefore to have at least stable links to the state as its permanent habitual center.[227]
Filing a Complaint with the Supervisory Authority
Filing a complaint with a particular supervisory authority makes them ‘concerned’ authority. Since complaints can also be filed with DPAs different from where the data subject resides,[228] the supervisory authority can possibly be concerned without the data subject having a residence within the EU or any (likely) substantial affection. For further information on filing a complaint with a supervisory authority, see the commentary on Article 77 GDPR.
Relevant Recitals
(23) Cross-Border Processing
Cross border processing means any processing taking place (i) in the in the context of the activities of establishments of a controller or processor in multiple member states, or (ii) in the context of a single establishment of a controller or processor in the union with (likely) substantially affects to data subjects in more than one member state.
Both conditions are therefore attached to the notion of ‘establishment’, whereas (i) requires the controller or processor to have multiple establishments within different member states of the union, while (ii) only requires the controller or processor to have an establishment within a single member state of the union.[229] In both cases, however, the controller or processor needs to be established in at least one member state.[230]
Processing in the Context of Establishments within Multiple Member States
The notion of establishment is again to be interpreted broadly. It is any effective and real exercise of activities through stable arrangements,[231] independent of the formal declarations as a branch or subsidiary within the union.[232] Furthermore, the processing is not required to be carried out within the establishment itself, but can also happen in the context of its activities. If the establishment in the EU is not directly processing the personal data, an extricable link between the activities of the establishment and the processing is already sufficient.[233] Only remote links to the processing in question may not involve another entity and therefore not form a ‘cross border processing’.[234]
Processing (likely) to Substantially Affect Data Subject in Multiple Member States
A substantial affection, again indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.[235] In this regard, already the likelihood of such is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.[236]
The evaluation of across border processing is relevant for determining the competent lead supervisory authority in situations where the processing would concern such of multiple member states. In this regard, it contributes to the ‘one-stop-shop’-principle, which is further described within the commentary of Article 56 GDPR.
Relevant Recitals
(24) Relevant and Reasoned Objection
The ‘relevant and reasoned objection’ refers to situations, in which a supervisory authority concerned[237] objects to a decision draft provided by a lead supervisory authority[238] in terms of a cross-border-processing context.[239] When such objection is exercised by the supervisory authorities concerned, the lead supervisory authority can either follow the objection or submit the matter to the EDPB (see Article 60(4) GDPR, Article 65(4) GDPR).
In order to not overload the EDPB with insufficiently grounded submissions causing delays for decisions,[240] Article 4(24) GDPR introduces a threshold to such objections being ‘relevant’ and ‘reasoned’. In this regard, they have to show an infringement or compliance of the GDPR in opposition to the lead authorities decision draft clearly demonstrating the significance of the risks posed by the draft decision.[241]
An objection is therefore only relevant and reasoned, when it refers to the concrete draft of a decision and does not only contain concerns of general nature.[242] This requires to provide the exact legal reasons for the objection,[243] clearly stating the the non-negligible risks for the data subjects or the free flow of personal data entailed.[244]
The notion of relevant and reasoned objection is to be further developed by the EDPB.[245] For further information on the EDPB’s criteria and procedure on elaborating a relevant and reasoned objection, check the commentary on Articles 60, 65 GDPR.
Relevant Recitals
(25) Information Society Service
For the definition on ‘information society service’ the GDPR refers to Article 1(1)(b) of Directive (EU) 2015/1535, on a procedure for the provision of information in the field of technical regulations and of rules on Information Society services. Hereafter, such services are any “normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient”.[246]
‘At a distance’ means that the service is provided without the parties being simultaneously present.[247] Thus, even when using electronic means, services provided within the physical presence of the recipient to the provider are not falling within this definition.[248]
‘By electronic means’ requires, that the service is entirely sent and received via electronic equipment for the processing and storage of data, for example through being transmitted by wire, radio, optical or other electromagnetic means.[249] And while offline services are excluded from these services,[250] composite services such as the selling of goods, advertising and gaming do qualify as such.[251]
An ‘individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.[252] Services transmitting data to an unlimited number of individuals without their individual demand, such as radio broadcasting, television, teletext, are therefore not covered.[253] On the contrary, video-on-demand or pay-per-view services do qualify as information society services.[254]
Accordingly, most online services encountered nowadays fulfil the criteria of an information society service. Typical example are:[255]
- Online legal or health services
- Online libraries or newspapers
- Online shopping and booking services
- Online media-platforms or video games
- Online search engines and web browsers
The classification as information society service becomes relevant in several contexts of the GDPR, such as its material scope (see Article 2(4) GDPR[256]), children’s consent (see Article 8(1) GDPR), the right to erasure (see Article 17(1)(f) GDPR) or the right to object (see Article 21(5) GDPR). For further information in this context, see the commentary in the relevant provisions.
Relevant Recitals
(26) International Organisation
An ‘international organisation’ means any organisation or subordinate bodies of such, which are governed either by public international law or set up by an agreement between two or more countries.
While there is no universally accepted or further specified definition of the term coming from the GDPR, the overall definition from the Vienna Convention on the Law of Treaties from 1969[257] serves as a source of inspiration for interpreting EU law according to the CJEU.[258] However, Article 2(1)(i) of the Convention defines international organisation as ‘intergovernmental organization’, thereby failing to deliver a more specific definition. Moreover, since both options to reach an international organization, either through public international law or multilateral agreements, are not further delineated by the GDPR, a broad and flexible approach to the term is suggested.[259]
In this regard, most organizations, such as the United Nations (UN), the International Telecommunications Union (ITU), the World Trade Organization (WTO as well as Inter- and Europol shall fall under the term.[260] However, these examples are not exhaustive and can be infinitely extended to other Internationals Organizations. Only NGO’s, which are usually non-governmental organisations established as private initiatives and governed by domestic member state law, may not qualify as such.[261]
The classification as international organization is relevant in terms of the additional rules placed on data transfers, according to Articles 44-50 GDPR. While the Data Protection Directive only regulated data flows to third party countries, the GDPR now extends the applicability of these rules to international organizations as as well.[262] For more information on the principles and additional safeguards placed on such transfers see the commentary on Articles 45-49 GDPR.
Further Definitions
Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The regulation contains further articles that directly or indirectly deliver definitions in its context, such as:
- Article 5(1)(a) GDPR: ‘lawfulness, fairness and transparency’,
- Article 5(1)(b) GDPR: ‘purpose limitation’,
- Article 5(1)(c) GDPR: ‘data minimisation’,
- Article 5(1)(d) GDPR: ‘accuracy’,
- Article 5(1)(e) GDPR: 'storage limitation’,
- Article 5(1)(f) GDPR: ‘integrity and confidentiality’,
- Article 5(2) GDPR: ‘accountability’,
- Article 8 GDPR: ‘child’,
- Article 9 GDPR: ‘special categories of personal data’,
- Article 51 GDPR: ‘supervisory authority’,
- Article 68 GDPR: ‘European Data Protection Board’.
For further information check the commentary on the respective Articles.
Decisions
→ You can find all related decisions in Category:Article 4 GDPR
References
- ↑ European Commission, What is personal data? (accessed on 08.09.2021); its antonym is defined in Article 3(1) of Regulation (EU) 2018/1807.
- ↑ Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available here).
- ↑ Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, p. 19.
- ↑ German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available here).
- ↑ Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available here).
- ↑ Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available here); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available here).
- ↑ European Court of Human Rights. Amann v. Switzerland [GC], no. 27798/95
- ↑ For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available here).
- ↑ WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.
- ↑ WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6; in fact, the GDPR provides tools to rectify incorrect information, see Article 16 GDPR.
- ↑ Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available here).
- ↑ In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available here).
- ↑ Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available here).
- ↑ A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available here).
- ↑ WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available here).
- ↑ CJEU, Nowak, 20 December 2017, margin number 35 (available here).
- ↑ WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available here), for example medical records on a patient, or the file of an employee
- ↑ Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).
- ↑ Klar/Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.
- ↑ See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available here).
- ↑ Ziebarth, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).
- ↑ Klar/Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).
- ↑ WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available here).
- ↑ WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available here).
- ↑ WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available here).
- ↑ WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available here).
- ↑ WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available here); Klar/Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available here).
- ↑ WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available here) with reference to the Commission.
- ↑ For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available here).
- ↑ WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available here).
- ↑ EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available here).
- ↑ WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available here).
- ↑ EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available here); similar for cookies and device fingerprinting, see Klar/Bühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).
- ↑ Klar/Bühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).
- ↑ Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available here).
- ↑ Recital 14 sentence 1 GDPR
- ↑ Universal Declaration of Human Rights, 10 December 1948 (available here).
- ↑ However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available here).
- ↑ See Recital 27 sentence 1 GDPR.
- ↑ See Recital 27 sentence 2 GDPR.
- ↑ Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available here).
- ↑ Recital 14 sentence 2 GDPR.
- ↑ See Article 1 Directive 2002/58/EC
- ↑ See Karg, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).
- ↑ Bygrave/Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).
- ↑ CJEU, C-141/12, YS and Others, 17 July 2014 (available here).
- ↑ CJEU, C-524/06, Huber, 16 December 2008 (available here).
- ↑ CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available here).
- ↑ CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available here).
- ↑ CJEU, C-101/01, Lindqvist, 6 November 2003 (available here).
- ↑ CJEU, C-342/12, Worten, 30 May 2013 (available here).
- ↑ CJEU, C-101/01, Lindqvist, 6 November 2003 (available here).
- ↑ CJEU, C-582/14, Breyer, 19 October 2016 (available here).
- ↑ CJEU, C-212/13, Ryneš, 11 December 2014 (available here).
- ↑ CJEU, C‑434/16, Nowak, 20 December 2017 (available here).
- ↑ CJEU, C‑291/12, Schwarz, 17 October 2013 (available here).
- ↑ Herbst, in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).
- ↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).
- ↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).
- ↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).
- ↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020). [Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).
- ↑ Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).
- ↑ Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).
- ↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).
- ↑ Reimer, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).
- ↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).
- ↑ Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).
- ↑ Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).
- ↑ Recital 67 GDPR.
- ↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).
- ↑ Reimer, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).
- ↑ Pötters, Böhm, in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).
- ↑ Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).
- ↑ Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).
- ↑ Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).
- ↑ Recital 67 sentence 2 GDPR.
- ↑ Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).
- ↑ Recital 67 sentence 1 GDPR.
- ↑ Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).
- ↑ Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).
- ↑ Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).
- ↑ Recital 30 sentence 1 GDPR.
- ↑ Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).
- ↑ Recital 70 GDPR.
- ↑ Recital 71 sentence 1 GDPR.
- ↑ Recital 71 sentence 1 GDPR.
- ↑ Recital 60 sentence 3 GDPR.
- ↑ Klar, Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and Ziebarth, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).
- ↑ Klar, Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).
- ↑ Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).
- ↑ Recital 26 GDPR.
- ↑ Hullen, Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.
- ↑ Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).
- ↑ Ziebarth, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).
- ↑ Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).
- ↑ Pötters, Böhm, in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).
- ↑ Recital 28 sentence 1 GDPR, such as Hansen, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); Pötters, Böhm, in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).
- ↑ Jahnel, in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).
- ↑ Jahnel, in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and CJEU, C-25/17, Johovan Todistajat, 10 July 2018 (available here).
- ↑ Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).
- ↑ Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).
- ↑ Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).
- ↑ Jahnel, in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).
- ↑ WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available here).
- ↑ Hartung, in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).
- ↑ CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available here).
- ↑ CJEU, C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available here), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.
- ↑ CJEU, C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available here), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.
- ↑ CJEU, C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available here), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.
- ↑ Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).
- ↑ Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).
- ↑ WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available here).
- ↑ WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available here).
- ↑ WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available here).
- ↑ WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available here) and Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).]
- ↑ Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and Jahnel, in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).
- ↑ EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available here).
- ↑ More precise, Article 13(1)(e) GDPR, Article 14(1)(e) GDPR, Article 15(1)(c) GDPR.
- ↑ Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).
- ↑ See Article 4(8) GDPR and Article 4(10) GDPR.
- ↑ See Article 4(9) GDPR, “whether a third party or not“.
- ↑ Pötters, Böhm, in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).
- ↑ Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).
- ↑ Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 57 (C.H. Beck 2018) and Regenhardt, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 156 (Nomos 2018).
- ↑ Article 4(9) sentence 2 GDPR.
- ↑ Recital 31 sentence 1 GDPR.
- ↑ See also Article 13(1)(d) GDPR, Article 14(2)(b) GDPR.
- ↑ Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).
- ↑ Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).
- ↑ EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available here); and Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).
- ↑ EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available here); and Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).
- ↑ Recital 32 sentence 1 GDPR.
- ↑ Recital 32 sentence 2 GDPR.
- ↑ Klement, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 7 GDPR, margin number 18 (NOMOS 2019).
- ↑ Article 7(1) GDPR, Recital 42 sentence 1 GDPR.
- ↑ Recital 43 sentence 1 GDPR.
- ↑ Recital 43 sentence 2 GDPR.
- ↑ Recital 43 sentence 1 GDPR, and Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 98 (Carl Heymanns Verlag 2018).
- ↑ Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 71 (C.H. Beck 2018).
- ↑ Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 73, 76 (C.H. Beck 2018).
- ↑ Bucher, Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin numbers 2, 5 (C.H. Beck 2020).
- ↑ EUCJ, C‑61/19, Orange România, 11 November 2020, margin number 46 (available here).
- ↑ Recital 32 sentences 5, 6 GDPR.
- ↑ Recital 32 sentence 3 GDPR.
- ↑ EUCJ, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available here).
- ↑ EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available here).
- ↑ Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).
- ↑ Bucher, Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin number 67 (C.H. Beck 2020); Ernst, Die Einwilligung nach der Datenschutzgrundverordnung, in Zeitschrift für Datenschutz, 03/07, (2017), p. 111.
- ↑ Wording: “otherwise processed”.
- ↑ Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).
- ↑ Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).
- ↑ Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).
- ↑ Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).
- ↑ Mantz, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 180 (Nomos 2018).
- ↑ Mantz, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).
- ↑ Mantz, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018); Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).
- ↑ Mantz, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).
- ↑ Mantz, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).
- ↑ Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).
- ↑ Mantz, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).
- ↑ See EDPB, Guidelines 01/2021 on Examples regarding Data Breach Notification, 14 January 2021 (available here).
- ↑ Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin numbers 106, 108 (Carl Heymanns Verlag 2018).
- ↑ Additionally, member states may maintain or introduce further conditions and limitations for the processing of genetic data, Article 9(4) GDPR.
- ↑ Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017).
- ↑ Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017); Kampert, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 182 (Nomos 2018).
- ↑ Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 96 (C.H. Beck 2018).
- ↑ Usually through the creation of referential patterns that are than compared with the data subject later for unique identification, see Kampert, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 183 (Nomos 2018).
- ↑ Also called 'Dactyloscopic data'.
- ↑ Recital 51 GDPR, “The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person”.
- ↑ Kampert, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).
- ↑ Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 111 (Carl Heymanns Verlag 2018).
- ↑ Kampert, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).
- ↑ Recital 35 sentence 2 GDPR.
- ↑ Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and Sydow, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).
- ↑ Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and Sydow, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).
- ↑ Petri, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 15 GDPR, margin number 5 (NOMOS 2019).
- ↑ Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 118 (Carl Heymanns Verlag 2018).
- ↑ Pötters, Böhm, in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 59 (Deutscher Fachverlag 2018); Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018).
- ↑ See Recital 35, “Personal data concerning health should include […] information derived from the testing or examination of one’s body, substances, such as genetic and biological samples”.
- ↑ However, in some cases (e.g. the public health sector) sensitive data can be necessary to be processed without the data subjects consent, see Recital 54 GDPR.
- ↑ WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available here).
- ↑ WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available here).
- ↑ WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 5 (available here).
- ↑ CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 29 (available here).
- ↑ CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 30 (available here).
- ↑ WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 6 (available here).
- ↑ WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available here).
- ↑ WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available here).
- ↑ Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 235 (Oxford University Press 2020).
- ↑ CJEU, C-131/12, Google Spain, 13 May 2014, margin number 55 (available here).
- ↑ WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available here).
- ↑ WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available here).
- ↑ According to which the GDPR applies to controllers outside the union processing personal data on subjects within the union “related to the offering of goods or services“ or “the monitoring of their behaviour”.
- ↑ Recital 80 sentence 6 GDPR.
- ↑ Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 106 (C.H. Beck 2018).
- ↑ Recital 80 sentences 3, 4 GDPR.
- ↑ Recital 80 sentence 5 GDPR.
- ↑ Ziebarth, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 204 (Nomos 2018).
- ↑ Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 52 (C.H. Beck 2017).
- ↑ Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 127 (Carl Heymanns Verlag 2018).
- ↑ Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 129 (Carl Heymanns Verlag 2018).
- ↑ For example, in German ("Unternehmen"), in French ("entreprise") and in Spanish ("empresa").]
- ↑ See Recital 150 sentence 3 GDPR.
- ↑ Recital 37 sentence 1 GDPR.
- ↑ Recital 37 sentence 1 GDPR.
- ↑ Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 58 (C.H. Beck 2017).
- ↑ Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 76 (ottoschmidt 2018).
- ↑ For example through to have personal data protection rules implemented; see Recital 37 sentence 1 GDPR.
- ↑ Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 78 (ottoschmidt 2018).
- ↑ Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 80 (ottoschmidt 2018).
- ↑ Ziebarth, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 221 (Nomos 2018).
- ↑ Pötters/Böhm, in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 70 (Deutscher Fachverlag 2018), as “group privilege light”.
- ↑ Feiler, Forgó, EU-DSGVO, Article 4 GDPR, margin number 49 (Verlag Österreich 2017).
- ↑ See Article 46(2)(b) GDPR.
- ↑ Article 47(1) GDPR.
- ↑ Article 47(3) GDPR.
- ↑ See Article 51(1) GDPR, Recital 117 sentence 1 GDPR and Article 8(3) ECFR “Compliance with these rules shall be subject to control by an independent authority”.
- ↑ Recital 117 GDPR.
- ↑ Private actors cannot serve as DPAs, see Polenz, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 21 GDPR, margin number 1 (NOMOS 2019).
- ↑ The European Data Protection Supervisor (EDPS) is therefore not a DPA in terms of the GDPR, see Article 51(1) GDPR and Article 68(3) GDPR “The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor”. It is adhering to its own Regulation (EU) 2018/1725, functionally overseeing and advising the European Institutions for their compliance with data protection rules.
- ↑ Recital 112 sentence 1 GDPR.
- ↑ See Recital 22 sentence 2 GDPR.
- ↑ Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 275 (Oxford University Press 2020).
- ↑ EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.
- ↑ Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 276 (Oxford University Press 2020).
- ↑ For a list of relevant criteria, see Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).
- ↑ Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).
- ↑ See Recital 124 sentence 3 GDPR.
- ↑ Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 282 (Oxford University Press 2020).
- ↑ Polenz, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 23 GDPR, margin number 1 (NOMOS 2019).
- ↑ See Recital 22 sentence 2 GDPR.
- ↑ Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 282 (Oxford University Press 2020); and again EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.
- ↑ Google, EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 53, 56; EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 25.
- ↑ For example, some commercial activity may be too far removed from the processing of personal data by an entity to bring the data processing non-EU entity within the scope of EU data protection law, see EDPB, Guidelines 3/2018 on the territorial scope of the GDPR, 12 November 2019, p. 7 f. (available here).
- ↑ Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 284 (Oxford University Press 2020).
- ↑ For a list of relevant criteria, see Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 285 (Oxford University Press 2020).
- ↑ See Article 4(22) GDPR.
- ↑ See Article 56 GDPR.
- ↑ See Article 4(23) GDPR.
- ↑ Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 289 f. (Oxford University Press 2020).
- ↑ Especially regarding the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union, see Article 4(24) GDPR.
- ↑ Dix, in Kühling, Buchner, DS-GVO BDSG, Article 4 24 GDPR, margin number 1 (C.H. Beck 2020).
- ↑ Dix, in Kühling, Buchner, DS-GVO BDSG, Article 4 24 GDPR, margin number 1 (C.H. Beck 2020).
- ↑ Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 290 (Oxford University Press 2020).
- ↑ See Recital 124 Sentence 4 GDPR and EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020 (available here).
- ↑ Article 1(1)(b) Directive (EU) 2015/1535.
- ↑ Article 1(1)(b)(i) Directive (EU) 2015/1535.
- ↑ For example, surgeries making use of electronic equipment, electronic catalogues or ticket reservations within a shop, electronic video arcade games, see Annex I(1.) Directive (EU) 2015/1535.
- ↑ Article 1(1)(b)(ii) Directive (EU) 2015/1535.
- ↑ See also see Annex I(2.) Directive (EU) 2015/1535.
- ↑ Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 298 (Oxford University Press 2020); and WP29, Guidelines on consent under Regulation 2016/679, WP259 rev.01, 10 April 2018, p. 24 (available here).
- ↑ Article 1(1)(b)(iii) Directive (EU) 2015/1535.
- ↑ See Annex I(3.) Directive (EU) 2015/1535.
- ↑ EUCJ, C-89/04, Mediakabel, 2 June 2005, margin numbers 38-39 (available here).
- ↑ Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 301 (Oxford University Press 2020).
- ↑ Especially in terms of liability rules coming from Articles 12 to 15 of the eCommerce-Directive 2000/31/EC; see also Recital 21 GDPR]
- ↑ Available here.
- ↑ CJEU, C-386/08, Brita, 25 February 2010, margin number 42 (available here); see also Bygrave/Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 305 (Oxford University Press 2020).
- ↑ Bygrave/Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 305 (Oxford University Press 2020).
- ↑ Bygrave/Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p.306 (Oxford University Press 2020).
- ↑ Bygrave/Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 307 (Oxford University Press 2020).
- ↑ See Schröder, in Kühling, Buchner, DS-GVO BDSG, Article 4 26 GDPR, margin number 2 (C.H. Beck 2020).