GDPRhub structure guide: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 1: Line 1:
== Introduction ==
So, you volunteered to summarise a decision – what are the next steps? This short guide will show you how to successfully submit a summary of a DPA/court decision on the GDPRHub.  
So, you volunteered to summarise a decision – what are the next steps? This short guide will show you how to successfully submit a summary of a DPA/court decision on the GDPRHub.  


# Read the original decision. Use an automated translation tool if necessary.
# Read the original decision. Use an automated translation tool if necessary
# Carefully study the decision and extract the '''most important parts''', focusing on <u>GDPR-related issues</u>. Establish the following:
# Carefully study the decision and extract the '''most important parts''', focusing on <u>GDPR-related issues</u>. Establish the following:
#* Involved parties;
#* Involved parties;
Line 11: Line 12:
# Open the [[How to add a new decision|submission form]] and fill in the sections, taking into account the instructions below.  
# Open the [[How to add a new decision|submission form]] and fill in the sections, taking into account the instructions below.  
# Enter your (nick)name, submission ID and submit your summary on the GDPRHub. Congratulations!
# Enter your (nick)name, submission ID and submit your summary on the GDPRHub. Congratulations!
=== Automated translation ===
In the process of writing a summary it might be very helpful or even necessary to use an automated translation tool (e.g. DeepL). You are more than welcome to do so. However, we strongly discourage copy-pasting entire passages from the automated English translation. Rather, try to rephrase and shorten the given information. Most of the time, this will allow you to convey the key-message in a clear manner and to avoid legal jargon or mistakes in translation. '''A helpful tip''': if you are not sure about GDPR-related terminology in a specific language, go to the GDPR on [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0679 EUR-Lex] and look for the terms used in the provisions of the GDPR in that specific language. <u>Example</u>: In the Netherlands, the GDPR is called AVG (= Algemene Verordening Gegevensbescherming).


== Summary Section ==
== Summary Section ==
Line 33: Line 37:


=== Facts ===
=== Facts ===
The Facts section describes what happened '''prior''' to the DPA/court decision. Facts should be presented in '''chronological''' order as follows:
The Facts section describes what happened '''prior''' to the DPA/court decision. Facts should be presented in '''chronological''' order.  
 
(1) The data subject submitted an access request...
 
(2) The controller did not reply...
 
(3) The data subject filed a complaint...
 
(4) You may include the data subject's and/or the controller's arguments here but do not mention what the DPA/court held.


Keep in mind:
Keep in mind:


* Establish who was the data subject and who was the controller/processor at the beginning. E.g. "X, an electronics retailer (the controller), took back its customer's (the data subject) used TV." After that, refer to them consistently as the controller and the data subject throughout the whole summary.
* Establish who was the data subject and who was the controller/processor at the beginning. E.g. "X, an electronics retailer (the controller), took back its customer's (the data subject) used TV." After that, refer to them consistently as the controller and the data subject throughout the whole summary.
* Try to be as chronological as possible. Rather than starting with the complaint being filed e.g. in October 2021 and then going back to the alleged violations in October 2020, start with what happened in October 2020 and finish with October 2021.
* Try to be as '''chronological''' as possible. Rather than starting with the complaint being filed e.g. in October 2022 and then going back to the alleged violations in October 2020, start with what happened in October 2020 and finish with October 2022:
* Focus on the facts that are relevant to the data protection issue at hand. The decision may concern other areas of law - leave out the facts that are only relevant to these other areas of law but not to data protection law.
*# ''The data subject submitted an access request...''
* Connect the Facts to the Holding. Whatever you include in this section, should prepare the reader for what is coming in the Holding section.
*# ''The controller did not reply...''
*# ''The data subject filed a complaint...''
*# ''The DPA started an investigation...''
*# ''In its defense, the controller argued that (a), (b), (c)...''
* Focus on the facts that are '''relevant''' to the data protection issue at hand. The decision may concern other areas of law - leave out the facts that are only relevant to these other areas of law but not to data protection law.
* Connect the Facts to the Holding. Whatever you include in this section, should '''prepare''' the reader for what is coming in the Holding section. In other words, make sure all the facts are well-selected and can explain the Holding.
* Do not include the violation or the fine or any legal reasoning of the DPA/court in the Facts. That belongs to the Holding section.
* Do not include the violation or the fine or any legal reasoning of the DPA/court in the Facts. That belongs to the Holding section.
* If it is an appeal or a second instance decision, then previous decisions should be summarised here. The Holding of the first instance proceedings becomes facts in an appeal.
* If it is an appeal or a second instance decision, then previous decisions should be summarised here. The Holding of the first instance proceedings becomes facts in an appeal.
Line 57: Line 58:
Keep in mind:
Keep in mind:


* Ideally, you should explain the DPA/court reasoning on each single matter at stake ("''First, the DPA held that the controller had violated Article ... Second, the DPA considered that... Finally, the authority considered that...''").
* Ideally, you should explain the DPA/court reasoning on each single matter at stake in separate paragraphs:
* If the decision concerned other areas of law, only mention them to the extent that it is relevant to data protection law. For instance, whether the controller lawfully collected a debt may be a prerequisite for finding whether the processing was lawful or not, but it is always important to circle back to the fact that the issue is whether the processing was lawful, not whether the debt collection was.
*# ''First, the DPA held that the controller had violated Article...''
* If multiple GDPR violations were found, it is usually a good idea to separate it into different paragraphs and start each paragraph with "First, the DPA held.." and "Second, the DPA also.." etc.
*# ''Second, the DPA considered that...''
* Do not say e.g. "The DPA held that under Article 21(2) GDPR, data subjects have the right to object to the processing of their personal data for direct marketing purposes." That's what the law itself says, that was not what the DPA held. Instead, you can say that the DPA "noted" or "pointed out" that data subjects have such a right and then follow up with e.g. "Hence, the DPA held in this case that because X, the controller violated Article 21(2) GDPR."
*# ''Finally, the authority considered that...''
* Similarly, for factual findings (e.g. that the controller did not erase the data), it is better to say "the DPA found". "The DPA held" should be used in regard to the actual ratio, e.g. "The DPA held that the meaning of 'sex life' under Article 9(1) GDPR encompasses...", "The DPA held that X constitutes a legitimate interest under Article 6(1)(f) GDPR", "The DPA held that Article 15(3) GDPR must be interpreted as.." or "The DPA held that the controller violated Article 6(1) GDPR."
* Do not say e.g. "''The DPA held that under Article 21(2) GDPR, data subjects have the right to object to the processing of their personal data for direct marketing purposes.''" That's what the law itself says, that was not what the DPA held. Instead, you can simply say that the DPA "noted" or "pointed out" that "''data subjects have such a right''" and then follow up with e.g. "''Hence, the DPA held in this case that because of X, the controller violated Article 21(2) GDPR.''"
* You may also include aggravating or mitigating circumstances, if the DPA/court does so.
* You may also include aggravating or mitigating circumstances, if the DPA/court does so.
 
* Avoid unnecessarily long explanations following the structure of the full decision. The DPA's structure may not always be suitable for the purposes of a GDPRhub summary, e.g. because the decision also concerned other areas of law or because the decision contained a number of procedural issues irrelevant to the GDPR violations.
Try to avoid:
 
* Restating what the law says without drawing any conclusions for the particular case. Do not only write, e.g. "The DPA recalled that Article 4(1) GDPR defines 'personal data' as any information relating to an identified or identifiable natural person", but also try to explain why the DPA considered that the information in question was considered personal data under Article 4(1) GDPR.
* Unnecessarily long explanations following the structure of the full decision. The DPA's structure may not always be suitable for the purposes of a GDPRhub summary, e.g. because the decision also concerned other areas of law or because the decision contained a number of procedural issues irrelevant to the GDPR violations.


=== Comment section ===
=== Comment section ===
The summary is supposed to be an objective overview of the decision without including personal opinions of the author. You are welcome to add any remarks you have on the decision to the comment section. This is also where you can include references to similar decisions by the DPA, especially if previous decisions have been issued against the same controller.
The summary is supposed to be an objective overview of the decision without including personal opinions of the author. You are welcome to add any remarks you have on the decision to the comment section. This is also where you can include references to similar decisions by the DPA, especially if previous decisions have been issued against the same controller. Note, it is not mandatory but '''highly encouraged''' to fill in this section.
 
Note, it is not mandatory but highly encouraged to fill in this section.
 
== Automated translation ==
In the process of writing a summary it might be very helpful or even necessary to use an automated translation tool (e.g. DeepL). You are more than welcome to do so. However, we strongly discourage copy-pasting entire passages from the automated English translation. Rather, try to rephrase and shorten the given information. Most of the time, this will allow you to convey the key-message in a clear manner and to avoid legal jargon or mistakes in translation.
 
'''A helpful tip''': if you are not sure about GDPR-related terminology in a specific language, go to the GDPR on [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0679 EUR-Lex] and look for the terms used in the provisions of the GDPR in that specific language.
 
<u>Example</u>: In the Netherlands, the GDPR is called AVG (= Algemene Verordening Gegevensbescherming).

Revision as of 13:53, 27 January 2023

Introduction

So, you volunteered to summarise a decision – what are the next steps? This short guide will show you how to successfully submit a summary of a DPA/court decision on the GDPRHub.

  1. Read the original decision. Use an automated translation tool if necessary
  2. Carefully study the decision and extract the most important parts, focusing on GDPR-related issues. Establish the following:
    • Involved parties;
    • Factual circumstances leading to the proceedings before a DPA/court;
    • Relevant GDPR provisions;
    • The holding of the DPA/court;
    • Measures taken by the DPA against the controller or final decision of the court.
  3. Read over this document as well as the Style Guide in order to have a good idea of how your summaries should be structured and written.
  4. Open the submission form and fill in the sections, taking into account the instructions below.
  5. Enter your (nick)name, submission ID and submit your summary on the GDPRHub. Congratulations!

Automated translation

In the process of writing a summary it might be very helpful or even necessary to use an automated translation tool (e.g. DeepL). You are more than welcome to do so. However, we strongly discourage copy-pasting entire passages from the automated English translation. Rather, try to rephrase and shorten the given information. Most of the time, this will allow you to convey the key-message in a clear manner and to avoid legal jargon or mistakes in translation. A helpful tip: if you are not sure about GDPR-related terminology in a specific language, go to the GDPR on EUR-Lex and look for the terms used in the provisions of the GDPR in that specific language. Example: In the Netherlands, the GDPR is called AVG (= Algemene Verordening Gegevensbescherming).

Summary Section

Summarising a DPA or court decision is not an easy task. While writing a summary, do not focus on merely shortening the document. It is very important to explain to the reader the relevant facts and the holding DPA/court in a concise way. Therefore, make sure to carefully study the text of the decision before filling in the submission form. In case of doubt, contact one of the Channel Managers via MatterMost, as they will always be happy to help you out.

Short summary

The brief (200-250 characters) summary of the GDPRhub decisions is particularly important for the GDPRtoday newsletter. The aim is to automatically extract this text and use it for the weekly newsletter. Therefore, consistency and conciseness are even more important for this section than for the other parts of the summary. Please try to always follow the subsequent structure when drafting the short summary, and reserve more detailed sentences for the following sections of the summary. Keep in mind:

  • The short summary should contain the following elements: WHO against WHOM for WHAT action according to WHICH provision of the GDPR. You can be flexible with the inclusion and order of the elements depending on each particular case.
  • Convey the key takeaway from the case without, for example, overwhelming a morning commuter reading this on their phone with information.
  • Also please convert the fine amount to euros if in another currency (any online currency converter is fine). Remember to use the € symbol with no space before the amount.

Try to avoid:

  • General statements like (like "X violated the GDPR") as this gives readers very little information.
  • Company names (like "Creditinfo Lánstrausti hf.") unless the company is generally known in Europe (like "Amazon").
  • Say "a controller" (when the type of company is irrelevant) or "a credit ranking agency" (specific type of company).

Example template: The 'X' DPA fined 'Y' €50,000 for violating Article 'Z' GDPR by illegally processing the image of a data subject.

Example: The Spanish DPA imposed a €35,000 fine on an energy company for the violation of Articles 5(1)(f) and 32 GDPR because an employee accidentally sent an email to the data subject with a third party's personal data.

Facts

The Facts section describes what happened prior to the DPA/court decision. Facts should be presented in chronological order.

Keep in mind:

  • Establish who was the data subject and who was the controller/processor at the beginning. E.g. "X, an electronics retailer (the controller), took back its customer's (the data subject) used TV." After that, refer to them consistently as the controller and the data subject throughout the whole summary.
  • Try to be as chronological as possible. Rather than starting with the complaint being filed e.g. in October 2022 and then going back to the alleged violations in October 2020, start with what happened in October 2020 and finish with October 2022:
    1. The data subject submitted an access request...
    2. The controller did not reply...
    3. The data subject filed a complaint...
    4. The DPA started an investigation...
    5. In its defense, the controller argued that (a), (b), (c)...
  • Focus on the facts that are relevant to the data protection issue at hand. The decision may concern other areas of law - leave out the facts that are only relevant to these other areas of law but not to data protection law.
  • Connect the Facts to the Holding. Whatever you include in this section, should prepare the reader for what is coming in the Holding section. In other words, make sure all the facts are well-selected and can explain the Holding.
  • Do not include the violation or the fine or any legal reasoning of the DPA/court in the Facts. That belongs to the Holding section.
  • If it is an appeal or a second instance decision, then previous decisions should be summarised here. The Holding of the first instance proceedings becomes facts in an appeal.

Holding

The Holding is the core of the decision and shows the DPA/court position on a certain matter. of the DPA with reference to the relevant provisions of the GDPR and national law.

Keep in mind:

  • Ideally, you should explain the DPA/court reasoning on each single matter at stake in separate paragraphs:
    1. First, the DPA held that the controller had violated Article...
    2. Second, the DPA considered that...
    3. Finally, the authority considered that...
  • Do not say e.g. "The DPA held that under Article 21(2) GDPR, data subjects have the right to object to the processing of their personal data for direct marketing purposes." That's what the law itself says, that was not what the DPA held. Instead, you can simply say that the DPA "noted" or "pointed out" that "data subjects have such a right" and then follow up with e.g. "Hence, the DPA held in this case that because of X, the controller violated Article 21(2) GDPR."
  • You may also include aggravating or mitigating circumstances, if the DPA/court does so.
  • Avoid unnecessarily long explanations following the structure of the full decision. The DPA's structure may not always be suitable for the purposes of a GDPRhub summary, e.g. because the decision also concerned other areas of law or because the decision contained a number of procedural issues irrelevant to the GDPR violations.

Comment section

The summary is supposed to be an objective overview of the decision without including personal opinions of the author. You are welcome to add any remarks you have on the decision to the comment section. This is also where you can include references to similar decisions by the DPA, especially if previous decisions have been issued against the same controller. Note, it is not mandatory but highly encouraged to fill in this section.