Article 4 GDPR: Difference between revisions

← Article 4: Definitions →
Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

For the purposes of this Regulation:

1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

3. ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;

4. ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

5. ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

6. ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

7. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

8. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

9. ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

10. ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

11. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

12. ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

13. ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

14. ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

15. ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

16. ‘main establishment’ means:

(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;

(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;

17. ‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;

18. ‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;

19. ‘group of undertakings’ means a controlling undertaking and its controlled undertakings;

20. ‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;

21. ‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;

22. ‘supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because:

(a) the controller or processor is established on the territory of the Member State of that supervisory authority;

(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or

(c) a complaint has been lodged with that supervisory authority;

23. ‘cross-border processing’ means either:

(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or

(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

24. ‘relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;

25. ‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;

26. ‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

Relevant Recitals

Commentary

Article 4 GDPR provides a list of definitions used to further specify relevant terms used throughout the GDPR.

Some definitions are taken from the preceding Directive 95/46/EC, allowing an understanding to build upon the already existing terms. Other definitions, however, are newly introduced, modified, or complemented with additional elements, and therefore require a new interpretation.

(1) Personal data

The principal concept of the GDPR is that of ‘personal data’, as the Regulation only applies to personal data and refers to it throughout the text of the GDPR.

Its definition developed from a previously existing definition under Article 2 (a) Directive 95/46/EC.^[1] The Directive itself derives the definition from Article 2 (a) Convention 108,^[2] according to which "personal data means any information relating to an identified or identifiable individual".

The definition can be divided into the following four requirements: (1) ‘any information’; (2) ‘relating to’; (3) ‘an identified or identifiable’; (4) 'individual'. The fulfilment of all of these aspects is required in order to satisfy the notion of personal data.

Any information

With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.

In this regard, the German Constitutional Court already in 1983 stated that "Under the conditions of automatic data processing, there is no longer meaningless data."^[3] This position is supported by the Commission, stating that "any item of data relating to an individual, harmless though it may seem, may be sensitive",^[4] thereby also following the wish of the Council to keep the definition as general as possible.^[5] Equally, the European Court of Human Rights stated that “private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”.^[6]

Accordingly, personal data includes any information, no matter if it relates to the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.^[7]

Example: Petra is keeping various information on her smartphone. This includes information that she does not seem to treat as private, as she even shares them online on widely available platforms, with her name attached, but there is also information about her love and sex life in chats, that she clearly feels are very private. In addition she keeps data in relation to her job as an independent contractor on her phone. The GDPR covers all such information - no matter if the information is trivial or extremely sensitive, private or related to her business.

The information can either be 'objective' such as unchangeable characteristics of a data subject as well as 'subjective' in the form of opinions or assessments.^[8] It is thereby not necessary for the information to be true, proven or complete.^[9] This means that also mere likeliness, predictions or planning information is covered by the GDPR, as long as it relates to a person.

Example: Petra is also customer of a bank with a private and a commercial bank account. The bank does not only hold her name, address, contact data or passport information, but also all her transaction data. In addition the bank also uses a system to predict if Petra may default on her loan. For the prediction the Bank uses information about unpaid bills from a third party provider. The information is actually incorrect, as Petra always paid her bills. All such data is covered by the GDPR, allowing Petra to e.g. use her rights under the GDPR to take action against incorrect information associated with her.

With regards to the format or medium of the information, data of any type - may it be alphabetical, numerical, (photo)graphical, acoustic - is included. This includes information on paper as well as information stored on a computer in binary form or on tape, such as video surveillance,^[10] telebanking,^[11] medical prescriptions,^[12] or even child's drawings.^[13] The GDPR deliberately does not specify the medium or types of information, following a 'tech neutral' approach.

Relating to

The information needs to relate to an individual. In accordance with the WP29,^[14] the CJEU assesses this requirement based on three different criteria, i.e. "where the information, by reason of its content, purpose or effect, is linked to a particular person".^[15]

The content of the information is 'relating to' a person when it is about a particular individual.^[16] On the contrary, information relating to a larger group of people without any possibility to single out a individual is not related to a particular person.^[17]

Example: A marketing company's system identifies twenty different groups within the French society. They assign different income levels, spending behaviours, and political views to these groups. This information is not covered by the GDPR. However, once the company assigns Felix's profile to such a group – claiming that he would be conservative, mid-level income, and open to spending his income on travels – this information now relates to Felix and is covered by the GDPR.

Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.^[18] However, when information on objects also concerns individuals, it can relate to them indirectly. For example, the objective value of a house allows others to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.^[19] Also, Geodata (like GPS data and coordinates) allows others to derive locations and movement patterns of individuals.^[20] Equally, information from satellite images could be used to find out if a person can afford a large property or a swimming pool, provided that the image can be linked to an individual.^[18] This is particularly relevant in the current technological landscape, considering the wealth of information which can be extracted from a growing number of personal devices, wearables and RFID-Chips, especially as these devices become increasingly associated to their owners or users.^[21]

Example: A controller uses unique IDs of smart watches, smart phones and connected cars to collect information about the use of these devices. These devices are all used by a single person, so in fact the use of these devices also 'relate[s] to' a natural person.

Furthermore, the purpose of the information can determine whether it is 'related to a person', where it is used to change their particular status or behaviour.^[22] Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.^[23] The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.^[24] For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation.^[25]

Identified or identifiable

The person to which the information relates must also be identified or identifiable.

A person is "identified" when they can be directly distinguished or "singled out" from a larger group of persons, based on the information.^[26] This can be achieved through several 'identifiers' listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the Working Party 29 like telephone number, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.^[27] Note that the name of a person is therefore not necessarily required to identify an individual as there are often more unique identifiers.^[28]

Example: A controller holds the phone number of data subjects, but not the names. The users are still 'identified' by that number and the GDPR applies. Example: 'Ursula Schmidt' is such a generic name, that it may not be identified or even identifiable without additional information or context. 'Ursula von der Leyen' may be so specific that it is identifiably the president of the European Commission.

A person is "'identifiable' when they have not been identified yet but where identification is possible through a combination of available pieces of information.^[29] It can be unclear what is still 'identifiable' and what is not anymore. Different people may have different abilities to identify a person, and different contexts or situations may lead to different answers as to the person being identifiable. Recital 26 clarifies that "to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used... either by the controller or by another person to identify the natural person".

Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from any other entities to identify a person. However, the 'reasonable likeliness' of such information being used by the controller or a third party, narrows the approach. In this regard, Recital 26 adds that in order "to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification... the available technology at the time of the processing and technological developments".

In other words, while not all of the information required to identify the person needs to be in the hands of the controller^[30] the mere hypothetical possibility to identify the person with the information from other entities is not sufficient.^[31] Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual, taking into account the use of state-of-the art tools, available sources, costs, time, and effort requried to identify the individual. The assessment is factual and is not limited to lawful means to identify a person, when it is reasonably likely that an actor could also use unlawful ways to identify a person.

Case Law: In C-582/14 Breyer the CJEU had to consider if IP addresses enable the identification of a natural person. The IP address is the number under which a computer or smartphone can be reached over the internet. Almost every controller exchanging information with a data subject over the internet will have to use the IP addresses. IP addresses can be dynamic (meaning the number is lost every 24 hours or every time a customer restarts their internet modem) or fixed (which means the number is always associated with the same customer). It may be that such a number is associated with a user account, in which case it becomes personal data. Even if the number itself may not be linkable by a controller, governments but also private entities may have legal powers to access subscriber details in relation to the IP-address. The CJEU found that even in such cases, the IP address can constitute personal data.

This example from case law shows that many data types may constitute personal data in one situation and not in another situation. Usually controllers and processors cannot, for example, determine if an IP address in their log files is dynamic or fixed. In practice this may mean that controllers or processors choose to treat all IP addresses as if they are personal data, to ensure compliance with the GDPR.

Furthermore, taking the increasing accessibility of information through means such as big data technologies and device fingerprinting into consideration, measures to successfully identify individuals are becoming increasingly effective.^[32] Additionally, because more information is continuously added to individual data sets and stored over a longer period of time, persons are significantly more likely to be identified.^[33]

Natural person

The right to data protection is not restricted to certain nationals or citizens of specific countries^[34] but granted to all natural persons according to Article 8 of the EU Charter of Fundamental Rights ("Everyone has the right to the protection of personal data concerning him or her").^[35]

Example: A third country immigrant entered the EU illegally. Once she arrives she makes a WhatsApp call to inform her family back home that she is safe and is now in the EU. Given that the geographic application of Article 2 GDPR is now triggered, WhatsApp has to grant her all rights under the GDPR - independent of her immigration status or citizenship. This is because the GDPR follows a human rights approach.

Starting from this definition, national legislators usually limit it from to moment of birth to the death of a person.^[36] Following up with the GDPR, information relating to deceased persons is then not considered personal data.^[37] However, member states may provide alternative rules for the protection of deceased persons^[38] which is usually achieved through further data protection, constitutional, or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through their relatives.^[39] For more information, see also the commentary on Article 4(13) GDPR.

Example: The health records of a deceased patient are not protected by the GDPR. However, most EU Member States have various rules relating the the use of health data or civil law provisions in relation to the right to privacy that may still cover information of deceased persons.

As the definition is limited to natural persons, information on legal persons is also generally not covered by the definition of personal data.^[40] However, related provisions from the ePrivacy-Directive,^[41] national data protection laws, or constitutional laws sometimes grant alternative protection.^[42] Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. This is particularly relevant where the information on a legal person allows one to derive information on a natural person. For example, a company name or mail address may be related to a natural person and therefore constitute personal data. This is especially common for smaller, family run, or one person businesses/enterprises.^[43]

Example: 'Marta O'Connel's Plumbing of Limerick Ltd.' is a limited company and not directly considered a 'natural person' under the GDPR. However, the sole owner and manager is Marta O'Connel and there is also no other female plumber in the whole province of Limerick. Therefore, it is easy to identify the natural person behind the legal entity. Information about 'Marta O'Connel's Plumbing Ltd.' going bankrupt therefore clearly also relates to an identifiable natural person and is, as such, covered by the GDPR.

Anonymous data

Personal data is often contrasted with 'anonymous' data. Anonymous data is data relating to a person that is not identifiable. The GDPR does not protect such data and controllers or processors are free to use such data (unless there are limits under other applicable law).

Example: Employees can participate in an internal vote. The ballots are thrown into a ballot box and mixed. The votes are properly anoymized. In a digital system, data can be stored without any linked personal information (like the user IDs). If the remaining information is anoynmous data and not covered by the GDPR.

In practice, it gets increasingly hard to truly anonymise personal data, especially when data is not very limited and uniform, or can be connected with other available information. New methods and technologies, such as big data analytics and artificial intelligence, are able to match and connect information that humans may not identify as being related.

Example: In 2006 the internet company AOL released 20 million searches that were entered into its search engine over three months. The searches of users could be connected via an anonymous ID. As many users entered personal information in the search box, the New York Times was able to quickly find the relevant users. AOL deleted the file later, but it was already widely copied.

Some technical solutions that may be useful or even required under the GDPR (e.g. from a security perspective under Article 32 GDPR or as a means of data minimisation under Article 5(1)(c) GDPR) can get confused with techniques to truly anonymise data.

Example: A payment provider and an airline strike a cooperation deal. When customers enter an email address during the airline booking process and the payment provider has the same email address in its files, only the payment provider will be shown as a payment option. The airline pays a lower transaction fee in return. To limit the exchange of customer data, they agree to only share 'hashes' of the email, which is a cryptographic fingerprint of the email address. While you cannot regenerate the email address from the hash value, everyone in possession of the email address can calculate the same hash value and see that the hash matches the email address. The technicians tell their Data Protection Officer that they only exchange anonymous data and there are no privacy issues involved. The Data Protection Officer, however, realises that the airline can single out the relevant customers. The data is therefore personal data and the system falls under the GDPR.

Examples of personal data in the CJEU's case law

There are a number of data types that were already the subject of CJEU case law:

• Name, date of birth, nationality, gender, ethnicity, religion and language;^[44]
• Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities;^[45]
• Municipality, information concerning the earned and unearned income and assets of a person;^[46]

• Salaries of employees of a public body;^[47]

• Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies;^[48]

• Working hours and times, as well as the corresponding breaks and intervals;^[49]
• Telephone numbers, employment and hobbies;^[50]

• Dynamic IP address;^[51]
• Video surveillance;^[52]
• The content of written exams;^[53]
• Fingerprints.^[54]

As always, whether or not data is actually personal data is a matter of context and case-by-case analysis.

(2) Processing

Processing is another central requirement for the application of the GDPR. It is defined as "any operation or set of operations which is performed on personal data".

Any operation or set of operations

The notion of processing is formulated broadly by the GDPR as 'any operation or set of operations'. The inclusion of 'a set of operations' means that, within the GDPR, the word 'processing' may refer to a single processing operation or a set of any number of operations.

The term processing is further explained by a list of non-exhaustive examples:

• Collection (targeted procurement of single pieces of data), such as offering online registrations or contact forms;^[55]
• Recording (continuous procurement of data flows), such as operating surveillance cameras or similar sensors;
• Organisation (systematic ordering to enhance access and evaluation of information), such as the allocation of information within databases;
• Structuring (ordering data according to certain criteria), e.g. in numeric or alphabetical order;^[56]
• Storage (saving information to a physical and readable format), such as information on paper, files, disks, drives or cloud servers;^[57]
• Adaptation (adjustments to the content of information according to specific criteria), e.g. updating information on age, address or income;^[58]
• Alteration (changes to the form or content of data), such as corrections, pseudonymisation or anonymisation;^[59]
• Retrieval (accessing stored information), for example loading information to be displayed on a device;^[60]
• Consultation (accessing stored information through targeted searches), such as using search routines to find and display data;^[61]
• Use (catch-all term for all active operations conducted on personal data), e.g. using addresses to deliver orders or mails;^[62]
• Disclosure by transmission ('pushing' information to recipients or other third parties), such as sharing customer information with another company;
• Disclosure by dissemination (untargeted distribution of information to unlimited recipients), e.g. in newspapers, radio or tv broadcasting;^[63]
• Disclosure by otherwise making available (generally any other form of disclosure), such as providing information on websites or search engines;^[64]
• Alignment (comparison of information with other, specific requirements), such as grid investigations or ‘dragnet’ actions;
• Combination (merging information), such as profiling (see also Article 4(4) GDPR);^[65]
• Restriction (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation of information on a website;^[66]
• Erasure (irreversible rendering of information impossible to access), such as overwriting data multiple times;^[67]
• Destruction (physically destroying the data carrier), such as shredding of files.^[68]

The only major exception to the above is where the controller remains completely passive without taking any active action towards information that is imposed by the data subject.^[69]

Performed on personal data

To be considered as 'processing' the operation in question has to be performed on personal data. Processing of other data does not fall under the definition.

Whether or not by automated means

Processing can be carried out by fully automated, semi-automated, or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.^[70]

Example: A person manually enters names into a system. The names are processed. The data is then stored and never looked at again. Storage is also processing and needs to comply with the GDPR. After years the hard drive that the data was stored on gets shredded. The destruction equally constitutes processing.

(3) Restriction of processing

Restriction is a specific form of processing. The restriction of processing means neither a complete prohibition to process nor an erasure of personal data, it is best described as a freezing of personal data for a certain period of time.

Usually, restrictions to the processing of personal data occur when the data is not required for the purpose for which it was originally collected, but cannot be deleted due to legal obligations.^[71] The restriction of processing can also be initiated by request of a data subject under the requirements of Article 18(1) GDPR or a data protection authority according to Article 58(2)(g) GDPR. For more information see the commentary on these provisions.

Example: Greta finds out that a credit ranking agency holds wrong information about her. As a consequence she cannot get a cell phone contract. The credit ranking agency has a huge backlog when correcting data. In the meantime the wrong information can be marked as contested and not used in the system.

Marking of stored personal data

The provision only applies to stored personal data. Personal data that is not at rest do not seem to be subject to a restriction of processing.

Marking the data is usually done by labels in systems or any other similar approach.

Aim of limiting their processing in the future

The restriction is not just limited to the marking of data, but must have the aim of limiting certain personal data only for very limited purposes.^[72] In practice this means that systems also have to react to the marking and, for example, not include the data in other processing operations anymore.

Obviously the limitation can only have an effect in the future. The fact that the law only requires one to 'aim' for the limitation should not be understood that the limitation must not be fully implemented.

Implementation

Technically, the restriction is realized through markers on the data in question which block it from further processing in the future.^[73] In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.^[74] In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage system with access restrictions.^[75]

Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.^[76] In case, the data subject needs to be informed about the restriction of processing of their personal data according to Article 18(3) GDPR.

(4) Profiling

Profiling is a specific form of processing. The concept is used in various provisions of the GDPR such as its territorial application, see Article 3(2)(b) GDPR, or automated decision making, see Article 22 GDPR. Profiling also triggers information duties under Articles 13(2)(f) and 14(2)(g) GDPR; access rights under Article 15(1)(h) GDPR; or the the need to perform data protection impact assessments under Article 35(3)(a) GDPR.

Evaluation of personal aspects

Profiling is defined as a processing operation with the purpose of evaluating personal aspects of a natural person.

Despite the rather specific general meaning of 'profiling', there is no minimal threshold of how much data must be used to constitute profiling or how personal or sensitive the personal aspects should be. The definition is therefore very broad and includes any way of calculating personal aspects of individuals.

Profiling is typically done by the application of statistical-mathematical measures to personal data that produce analysis of predictions of personal aspects.^[77]

Automatic processing

Manual review of personal data to evaluate personal aspects does not constitute profiling, as the definition requires 'automated processing'.

Exemplary list

The definition provides a non-exhaustive list over common types of profiling, such as:

• performance at work;
• economic situation;
• health;
• personal preferences;
• interests;
• reliability;
• behaviour;
• location; or
• movements.

Practical examples of 'profiling' are therefore:

• Creating customer preferences based on previous purchases or clicks;
• Maintaining customer profiles for more efficient marketing;^[78]
• Operating systems for credit rating/scoring;^[79]
• Operating e-Recruitment Systems.^[80]

(5) Pseudonymisation

Pseudonymisation is a form of processing that alters personal data so that identifying information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. The aim is to reduce risks for the data subjects and help controllers and processors to meet their obligations under the GDPR,^[81] such as data minimisation or as part of a data security concept.

Pseudonymised data is a specific type of personal data and still falls under all relevant provisions of the GDPR. There are however some provisions that refer to pseudoymized personal data and treat it (slightly) different than personal data:

• Implementing security safeguards (see Article 32(1)(a) GDPR);
• Handling of personal data breaches (see Article 34(3)(a) GDPR);
• Changing purposes of data processing (Article 6(4)(e) GDPR);
• Serving principles of data minimization and security (Article 5(1)(c)(f) GDPR);
• Implementing Data Protection by Design and Default (Article 25 GDPR).

No longer attributed to a specific data subject

In order to count as pseudonymised data, the personal data must be processed in a way that cannot be attributed to specific data subject without the use of additional information. The pseudonymised data set itself, therefore. does not relate to an identified or identifiable person.

Additional information permitting attribution

Information allowing attribution of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.^[82]

Implementation

Examples for the pseudonymisation of personal data include:

• Replacement of names through ID’s, codes or aliases;^[83]
• Encryption of personal data;^[84]
• Hashing of personal data.^[85]

Difference to anonymization

The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from sentences 3 and 4 of Recital 26 GDPR, considering the cost, time, and available technology required to identify the data subject. However, considering the recent emergence of big data analytics and advanced data processing capabilities, the process of anonymisation is becoming increasingly difficult.^[86]

Common Mistake: Pseudonymisation has to be distinguished from anonymisation. Anonymisation is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymised data.^[87] Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore reversible.^[88]

(6) Filing system

The definition of a 'filing system' is relevant for the application of the GDPR in cases of non-automated data processing (see Article 2(1) GDPR).

Set of personal data

A filing system is characterized through a structured set of personal data. The data can be stored within either single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require the storage of information on multiple persons. Storing structured information on a single person may qualify as filing system.^[89]

Structured by specific criteria

A set of data is only a structured filing system if it is accessible according to specific criteria. The structure of the information must allow a targeted search of personal data.^[90] For example, when personal data on a particular person is 'retrievable' it already satisfies this requirement.^[91]

Typical examples

Examples are:

• Paper archives, sorted by name, date or any other system;
• Salary lists on employees;^[92]
• Saved letter-correspondence with customers;^[93]
• Covid-19-Guest-Lists sorted by date.^[94]

(7) Controller

The controller is the main addressee of obligations under the GDPR. The controller is defined as the body that determines the purposes and means of the processing.

Objective approach

The GDPR foresees that the controller must be determined based on the objective facts of the case. This means that mere declarations in contracts, privacy notices and alike do not constitute a binding determination of controllership. The objective approach requires a detailed assessment, but also prevents so-called 'forum shopping' and responsibility shifting.

Any natural or legal person

A controller can be any natural or legal person, public authority, agency or other body. Everyone with legal capacity can be a controller when processing personal data, including individuals, private legal entities, or government entities. It is necessary to assign the determination of purpose and means (see below) to a responsible entity. Departments, individual establishments, or other elements that are not legally independent form one controller together with the legal entity that they belong to.^[95]

It is after all a matter of national law if, for example, workers councils within a company or individual government entities form a legally separate body or not. If they are legally separate holders of rights and duties, they can form a separate controller.

If a person within the controller acts outside of their assigned capacity and processes personal data for their own purpose, their acts cannot be attributed to the controller and they become their own controller, with their own responsibilities of any processing operation they may undertake.^[96]

Example: In Member State 'A' schools are their own legal entity. In Member State 'B' schools are part of the Ministry of Education and are not separate holders of rights. In Member State 'A' the school is typically the controller for processing operations within it, while in Member State 'B' the Ministry is typically the controller. If the computer science teacher in either school decides to use a school server to host his own private software project, the teacher is typically considered a separate controller.

Determination

The key element of the controller definition is the focus on the entity making the relevant determinations for any processing activity. The determinations of persons acting on behalf of an entity are attributed to that entity. It is necessary to review which entity, or element within an entity, objectively made determinations about the purpose and means. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.^[97]

Merely formal declarations are not relevant. Especially in complex situations where many players are involved in the processing operation, the proper identification of the controller may prove to be complex.

Example: Company 'A' offers an app to users. The head of the IT department suddenly decides that personal data of users will be processed for the purpose of product improvement and advertisement of the app itself. The CEO of the company does not raise any objections. Company 'A' is the controller for the processing operations and ultimately responsible for complying with the GDPR.

Purposes

Personal data may only be processed for a specified, explicit and legitimate purpose (see Article 5(1)(b) GDPR). The body that decides over the purpose is typically the controller. The determination of the purpose it the primary element to review when determining controllership.^[98]

Means

The means include the personal data that is processed to achieve the purpose; the duration of the processing; the recipients of personal data; as well as the technical means to process personal data, such as hardware or software.^[99] The controller must only determine the means, but must not control them physically.

Example: A company uses an external service for statistical analysis. The systems of the external service collect personal data and calculate the results. The company does not even have access to the raw information. Nevertheless, the company has determined the purposes and means of the processing (including the described system) and is hence the controller.

Opening clause for a determination by EU or Member State law

Article 4(7) GDPR allows that specific EU or national law (lex specialis) may assign the controllership to a certain entity for specific processing operations. Such provisions typically define controllership when private entities act in the public interest or are fulfilling public tasks. The clause also allows Member States to clarify controllership among different public bodies or elements. Such explicit determinations in EU or national law should not be confused with generic national laws that assign certain duties to an entity without determining controllership itself.

Joint controllership

In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co-controllership’ the entities have to determine their respective responsibilities for the processing within an agreement according to Article 26 GDPR. Important, however, is utlimately the factual influence on the processing of the personal data^[100] (see Recital 79 GDPR). In this regard, the participation and influence on the purpose and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.^[101]

For example, a joint controllership is assumed between:

• Search-Engine-Operators and the websites on which information is structured, presented and complemented with advertisements within search results;^[102]
• Facebook and the entity administering pages on the social network;^[103]
• Websites that integrated elements of a third-party controller, such as a ‘Like Button’.^[104]

In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller, as required by Article 26 GDPR.

EDPB Guidelines: On this provision there are the Guidelines 07/2020 on the concepts of controller and processor in the GDPR

(8) Processor

In practice most controllers do not process all their personal data themselves, but use various external providers, such as hosting providers, SaaS providers or so-called 'Cloud' providers, that process data on their behalf. The GDPR regulates these 'processors', as well as the interplay between the controller and the processor.

Once an entity qualifies as a 'processor', many provisions of the GDPR apply, such as the required implementation of technical organizational measures (see Article 32 GDPR) as well as the possibility of being fined (see Article 82 GDPR). Of additional relevance is Article 28 GDPR, that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on Article 28(3) GDPR.

Any natural or legal person

Just like a controller, a processor can be any natural person, legal person, public authority, agency, or body. Internal units that process personal data on behalf of another department within the same legal entity (e.g. an IT department) are not processors, but are part of the controller.

Processing on behalf of the controller

The most important distinction is that, unlike the controller, the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.^[105]

Sub-Processors

A special form of the processor is the 'sub-processor'. This is another processor, that is engaged by the processor. In theory there can be any number of sub-sub-processors. In practice such setups are very hard to manage for a controller. For further information see the commentary on Article 28(2) and (4) GDPR.

Distinction to a (joint) controller

In practice major IT companies (usually 'processors') are often more in control of processing operations than their commercial customers (usually 'controllers'). They usually offer a standard product with very specific terms and conditions, while many controllers may not. Therefore, it can be difficult to distinguish a 'joint controller' or 'co-controller' from a processor.

Roles are specific for each processing operation

Usually each processor also conducts processing operations where it is itself the controller. This is also the case whenever the processor acts against the orders of the controller and processes personal data for further purposes. In all these situations, it qualifies as a controller.^[106]

Exemplary list

In this regard, the Working Party 29^[107] provides some references as examples of controller-processor relationships:

• Outsourcing of call centers for customer communications;^[108]
• Outsourcing of mail services;^[109]
• Cloud Hosting and grid computing;^[110]
• A separate entity specialized in data processing within a group of companies.^[111]

EDPB Guidelines: On this provision there are the Guidelines 07/2020 on the concepts of controller and processor in the GDPR

(9) Recipient

The 'recipient' is an umbrella term and defined as anybody (like controllers, processors, third parties) to whom personal data is disclosed to. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.^[112] The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,^[113] the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind this is that the controller, whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.^[114] Listing the recipients ensures that the data subject is fully informed as to the whereabouts of their personal data.

Any natural or legal person

Just like a controller or processor, a recipient can be any natural person, legal person, public authority, agency, or body. On the other hand, particular units within a company, such as the staff council or dependent establishments of the controller, are not considered recipients.^[115]

Disclosure

The core element of the definition is the 'disclosure' of personal data. This includes any voluntary act of data sharing, including transmission, dissemination or otherwise making available (see Article 4(2) GDPR).^[116]

Processors

There is an ongoing discussion as to whether a 'processor' can also be considered a 'recipient'. On the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.^[117] However, the concept of the recipient is completely independent of the third-party.^[118] With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, Article 28 GDPR does not relieve the controller to inform the data subjects about its processors as recipients according to Article 13 to 15 GDPR.^[119]

Exception for public authorities

Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.^[120] These inquiries, however, must be in the general interest and in accordance with Union or Member State law.^[121]

(10) Third Party

The term 'third party' is used to describe anyone other than the data subject. This notion becomes relevant mostly in terms of evaluating interests, such as in Article 6 (1)(f) GDPR.^[122]

Negative definition

'Third party' constitutes a negative definition, as any natural or legal person, public authority, agency, or body different from:

• the data subject;
• controller;
• processors; or
• any other person authorized to process personal data by the controller.

Dynamic classification of third parties

While an entity may be a third party may from the perspective a given controller, it may itself be a controller or processor for any processing operation it conducts itself. The notion of a 'third party' is therefore not absolute, but based on the circumstances of a certain processing operation.

Typical cases

Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.^[123] Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.^[124] Similarly, internal staff of the controller are not a third parties, unless the employee uses personal data for their own purposes outside of the employment context.^[125] In this case, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.^[126]

EDPB Guidelines: On this provision there are the Guidelines 07/2020 on the concepts of controller and processor in the GDPR

(11) Consent

Consent is one of the legal basis mentioned under Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data.

The requirements for consent require a joint reading of Articles 4(11), 6(1)(a), 7 and 8 GDPR.

• For the definition of 'consent', see the more commentary under Article 6(1)(a) GDPR and Article 7 GDPR.
• For the definition of 'explicit consent', see the commentary under Article 9(2)(a) GDPR.

EDPB Guidelines: on this provision there are EDPB Guidelines 05/2020 on consent under Regulation 2016/679

(12) Personal data breach

The definition of 'personal data breach' is relevant for the notification duties under Articles 33 and 34 GDPR.

Breach of security

The definition of a data breach requires a security breach, such as a failure of technical or organisational safeguards implemented by the controller according to Article 32 GDPR.

Accidental or unlawful

These failures can either be caused by accident (e.g. through mishandling of personal data by the controller, employees and alike) or by unlawful acts (e.g. targeted attacks, hacking or a physical break in).^[127]

Destruction, loss, alteration, unauthorised disclosure, or access

As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.^[128]

Although the transmission and storage of data are explicitly highlighted, any type of processing the concerned data is sufficient.^[129]

Typical cases

Some examples for personal data breaches are:

• Hacking-attacks on systems involving personal data;^[130]
• Missing access protection to data storages or buildings;^[131]
• Sending data to unintended recipients;^[132]
• Employees unlawfully distributing data to third parties;^[133]
• Accidentally publishing or leaking data on website;^[134]
• Loss of physical data carriers;^[135]
• Destruction of data storing infrastructure;^[136]
• Unrestorable encryption through Ransomware;^[137]
• Unlocked storage of employee files,^[138]accidental or unlawful.

(13) Genetic data

‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions on growth, metabolism, appearance, disease or alike, both already existent or emerging in the future.^[139] Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA), or ribonucleic acid (RNA) analyses.

The classification of genetic data is becoming relevant in terms of Article 9(1) GDPR, which only allows its processing under strict requirements.^[140] This is due to the sensitive character of such data, allowing a unique identification of the data subject and, at the same time, revealing personal health data^[141] on them and biological relatives.^[142] Especially in terms of heritage diseases, genetic data carries a high risk of abuse in terms of employment and insurance.^[143]

(14) Biometric data

‘Biometric data’ means data referring to the physical, physiological and behavioural characteristics of a natural person obtained from specific technical processing allowing for a unique identification. While this generally includes any means to analyse and measure the characteristics of humans,^[144] the technical processing and unique identification requirements place higher burdens.

The definition itself uses facial images and fingerprints^[145] as examples for biometric data. However, the requirement for specific technical processing ensures that simple pictures or even passport photographs shall not be considered as such.^[146] Although, further processing through the application of facial recognition software would qualify the extracted information as biometric data. In this regard: IRIS Scanners; DNS-Comparisons; voice or gait pattern analyses;^[147] as well as typing patterns or even handwritten signatures,^[148] may be considered as biometric data.

Other data that does not allow an unique identification, such as body size or blood type, may not be considered biometric data.^[149] However, these could then fall under the definition of ‘health data’ that offers similar protection to that afforded to biometric data, according to Article 9(1) GDPR.

(15) Data concerning health

‘Data concerning health’, or simply ‘health data’, means any data related to the physical or mental health of a natural person, especially the procurement of health care services revealing such information. According to Recital 35 GDPR, these include all data referring to the health status of the data subject from the past, present or future. In this regard, any information on diseases, risks and disabilities - in addition to medical treatment and history - of a particular natural person explicitly qualifies as health data.^[150]

Examples for health data includes information about:

• Addictions to alcohol, drugs or medications as well as the participation in self-help groups;^[151]
• Hospitalizations, sick notes and sick payments;^[152]
• Information the physical or mental invalidity to work;^[153]
• Data from health or fitness apps on eating or movement patterns, for example from wearables and smartphones.^[154]

The notion of health data is therefore broader than ‘medicinal data’.^[155] Furthermore, it strongly overlaps with the notions of genetic and biometric data,^[156] in order to allow a seamless and high level of protection within the scope of Article 9 GDPR.^[157] For further information, please check the commentary on Article 9 GDPR.

EDPB Guidelines: on this provision there are EDPB Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak

(16) Main establishment

If a controller or a processor have establishments in more than one member state, identifying its 'main establishment' is the first step to recognising the lead supervisory authority in a cross-border procedure under Article 56 GDPR.

Objective criteria

The main establishment of an entity must be determined according to objective criteria.^[158] As the main establishment determines the relevant supervisory authority, the Working Party 29 stressed that the GDPR does not permit 'forum shopping' and conclusions cannot be based solely on statements by the controller or processor. The controller or processor’s analysis can be overturned based on an objective examination of the relevant facts.^[159]

(a) Main establishment of a controller

General rule: central administration

As a general rule, the main establishment of a controller should be the place of its central administration in the Union, or in other words, "the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented".^[160]

Recital 22 GDPR defines an establishment as "the effective and real exercise of activity through stable arrangements". The legal form of such arrangements is irrelevant. According to C-230/14 - Weltimmo, an establishment depends on "both the degree of stability of the arrangements and the effective exercise of activities in that other Member State [which] must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned".^[161] In this regard, merely the presence of a single representative can constitute a stable arrangement, when they are acting with a sufficient degree of stability and have the necessary equipment to provide the specific services in the member states concerned.^[162]

Exception: processing decisions in another establishment

If a controller’s main establishment is not the place of its central administration in the EU, the exception to the general rules kicks in. In this case it is necessary to determine the establishment based on where the effective and real exercise of main decisions on the purposes and means of processing take place.^[163] It should depend neither on the place of the processing nor the use of technical means and technologies for processing personal data or processing activities. Instead, to determine the controller’s main establishment the Working Party 29 developed several guiding questions:^[164]

• Where are decisions about the purposes and means of the finally signed off’?
• Where are decisions about business activities that involve data processing made?
• Where does the power to have decisions implemented effectively lie?
• Where is the Director with responsibility for cross border processing located?
• Where is the controller or processor registered as a company?

(b) Main establishment of a processor

Central administration

Similarly to the rules for controllers, the main establishment of a processor located in multiple member states shall also be the place of its central administration.

See above for details on determining the central administration.

No central administration

However, when there is no central administration in the Union, the rules applying to processors are formulated differently. In such cases, the main establishment of a processor is where the main processing activities take place in a Union’s establishment subject to the obligations under GDPR. This implies that the processing of personal data does not need to be carried out by the relevant establishment itself, but only in in the context of its activities within the scope of the GDPR.^[165]

The meaning of 'the context of activities' has already been specified in C-131/12 - Google Spain. The CJEU build on a broad definition of 'establishment' and clarified that merely the intention of a member state’s establishment to provide advertisement space for a third country undertaking constitutes processing of personal data in the context of the Union’s establishment.^[166]

Following up on the CJEU judgement, the Working Party 29 specified that EU law may apply to data processing activities of controllers or processors established outside the EU "even if the local establishment is not actually taking any role in the data processing itself".^[167] This reasoning can be based on an "inextricable link" between activities of an establishment in the EU and data processing by a non-EU controller or processor.^[168]

Cases involving both the controller and the processor

Recital 36 GDPR explains that "in cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment". This is not reflected in the text of the relevant Articles.

For details see the commentary on Article 56 GDPR.

(17) Representative

Where a third country controller or processor falls under the territorial scope of Article 3(2) GDPR, it must (in most cases) appoint a representative in the EU. Representatives are any legal or natural persons established in the union, designated by a controller or processor in accordance with Article 27 GDPR.

For more details see the commentary on Article 27 GDPR.

(18) Enterprise

An 'enterprise’ means any natural or legal person, partnerships or associations regularly engaged in economic activities. With this definition, the GDPR introduced a broad concept of an enterprise, irrespective of their size, legal form or interests pursued.^[169] An enterprise requires a regular engagement in economic activities, which means activities intended to be carried out over a a long-term and not only in an occasional manner.^[170] Being a 'small [or] medium enterprise' is a precondition for the waiver of the duties under of Articles 30(5) GDPR.

While the English version of the GDPR distinguishes between the ‘enterprise’ and ‘undertaking’ other language versions merged both into a single notion (like 'Unternehmen' in German or 'entreprise' in French).^[171] This caused confusion around the assessment of fines according to Article 83 GDPR, which by English language refers to the term of undertaking in accordance with Articles 101, 102 TFEU and thereby not to the definition of Article 4(18) GDPR.^[172] The broader definition of an 'undertaking', which includes parent companies and all subsidiaries, leads to higher fines for such structures, when the fine is calculated based on the global turnover.

(19) Group of undertakings

A group of undertakings consists of a leading ('controlling') entity and one or more thereof dependent ('controlled') entities.^[173] The central characteristic for a group of undertakings is therefore, that one entity exerts a dominant influence over the others, for example through ownership or financial participation.^[174] This is usually the case between a holding company and their subsidiaries.^[175] In this regard, the mere possibility of exercising control over the the other entity is sufficient, a real exercise of such control is not necessary.^[176] As long as one entity has the factual power to assert its will over the other entities,^[177] they qualify as group of undertakings.^[178]

Two undertakings are sufficient to form a group.^[179] However, a controller giving mere instructions to a processor regarding the processing of personal data does not qualify as a group of undertakings.^[180]

The classification as a group of undertakings becomes relevant for several provision across the GDPR, such as

• The joint designation of a Data Protection Officer (Article 37(2) GDPR);
• The formulation of binding corporate rules (Article 4(20) GDPR, Article 47 GDPR);
• The data transfer for internal administrative purposes (Article 6(1)(f) GDPR) with Recital 48 GDPR);^[181]
• The determination of the main establishment (Article 4(16) GDPR, Recital 22 GDPR).

However, the notion is to be distinguished from a "group of enterprises engaged in a joint economic activity" who can jointly use binding corporate rules under Article 47 GDPR. These consist of separate and independent entities, which do not exercise control over each other,^[182] and therefore cannot designate a single Data Protection Officer or rely on internal administrative data transfers.

(20) Binding corporate rules

Binding corporate rules (short ‘BCR’) are data protection policies formulated by controllers or processors established in the Union for transfers of personal data to entities within their group that are established outside the Union. In this regard, binding corporate rules constitute a legal basis to transfer personal data to third countries without an adequacy decision.^[183] However, they only apply to intra-corporate transfers, i.e. between entities of the concerned group of undertakings or enterprises. Transfers to entities outside of these groups are not covered by binding corporate rules.

For more information on the requirements and the approval procedure of binding corporate rules, see the commentary on Article 47 GDPR.

(21) Supervisory authority

Supervisory Authorities ('SAs') or, colloquially, 'Data Protection Authorities' ('DPAs') are the independent public authorities responsible for monitoring the application of the GDPR under Article 51 GDPR. Member States can decide to provide only one or multiple supervisory authorities, to reflect their constitutional, organisational and administrative structure.^[184]

Example: Austria, France and Ireland have a single supervisory authority for enforcing the GDPR. While the Irish and French supervisory authorities are also in charge of enforcing the ePrivacy Directive 2002/58/EC (Austria gave this power to the Telecoms Regulator). Germany has a federal supervisory authority and at least one authority for each of the sixteen German states. Some states have more than one authority, for different types of controllers.

Supervisory authorities act independently (see Article 52 GDPR) and shall be provided with various competencies (Articles 55, 56 GDPR), tasks (Article 57 GDPR) and powers (Article 58 GDPR). For further information, see the particular commentary on the named articles.

(22) Supervisory authority concerned

Only 'supervisory authorities concerned' have certain roles in the cooperation procedure under Articles 60 to 66 GDPR. Other supervisory authorities may not participate in the relevant procedures. Qualifying a supervisory authority as ‘concerned’ can result out of three situations as laid out by Article 4(22) GDPR:

• For a controller or processor, when it is established in a member state of a supervisory authority,
• for a data subject, when it is residing in the member state of a supervisory authority (likely) substantially affected by the processing of personal data, or
• where a complaint has been lodged with that supervisory authority.

Controller or processor establishment

The DPA is concerned when a controller or processor is established in its jurisdiction. This implies any effective and real exercise of activity through stable arrangements,^[185] independent of the form of such arrangements of an actual branch or subsidiary within the union.^[186] This broad understanding is fostered by the EUCJ, including any real and effective activity exercised through stable agreements independently of their formalistic approach as an establishment.^[187]

(Likely) Substantial affection of the data subject

A substantial affection, although not being further specified from the GDPR, indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.^[188] On the contrary, merely the likelihood of such an impact is sufficient, and an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.^[189] In any case, this requires the data subject to reside in the member state of the DPA and therefore to have at least stable links to the state as its permanent habitual centre.^[190]

Filing a complaint with the supervisory authority

Filing a complaint with a particular supervisory authority makes them a ‘concerned’ authority. Since complaints can also be filed with DPAs different from where the data subject resides,^[191] the supervisory authority can possibly be 'concerned' without the data subject having a residence within the EU or any (likely) substantial affection. For further information on filing a complaint with a supervisory authority, see the commentary on Article 77 GDPR.

(23) Cross-border processing

The definition of 'cross-border processing' is not intuitive, as not every form of cross-border processing is 'cross-border' under the GDPR. The limited definition in turn limits the application of the ‘one-stop-shop’ system, which is further described within the commentary of Article 56 GDPR.

(a) Processing in the context of establishments within multiple Member States

The notion of establishment is again to be interpreted broadly. It is any effective and real exercise of activities through stable arrangements,^[192] independent of the formal declarations as a branch or subsidiary within the Union.^[193] Furthermore, the processing is not required to be carried out within the establishment itself, but can also happen in the context of its activities. If the establishment in the EU is not directly processing the personal data, an extricable link between the activities of the establishment and the processing is already sufficient.^[194] Only remote links to the processing in question may not involve another entity and therefore not form a ‘cross border processing’.^[195]

(b) Processing (likely) to substantially affect data subject in multiple Member States

A substantial affection, again indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.^[196] In this regard, the mere likelihood of such an impact is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case by case basis.^[197]

(24) Relevant and reasoned objection

A ‘relevant and reasoned objection’ is an objection by a supervisory authority concerned^[198] to a draft decision provided by a lead supervisory authority.^[199] When such an objection is submitted by the supervisory authorities concerned, the lead supervisory authority can either follow the objection (see Article 60(4) GDPR) or submit the matter to the EDPB (see Article 65(4) GDPR).

In order to limit objections by other supervisory authorities,^[200] Article 4(24) GDPR introduces a threshold to such objections being ‘relevant’ and ‘reasoned’. They must also 'clearly demonstrate' the 'significant risks' posed by the draft decision,^[201] either for the fundamental rights and freedoms of data subjects or the free flow of personal data within the Union. As a consequence, it is not enough for a concerned supervisory authority to just raise a concern that a draft decision by the lead supervisory authority is unlawful.

For details see the commentary on Articles 60 and 65 GDPR.

(25) Information society service

For the definition on ‘information society service’ the GDPR refers to Article 1(1)(b) of Directive (EU) 2015/1535. The classification as information society service becomes relevant in several contexts of the GDPR, such as children’s consent (see Article 8(1) GDPR) or the right to object (see Article 21(5) GDPR).

At a distance

‘At a distance’ means that the service is provided without the parties being simultaneously present.^[202] Thus, even when using electronic means, services provided within the physical presence of the recipient to the provider do not fall within this definition.^[203]

Electronic means

‘By electronic means’ requires that the service is entirely sent and received via electronic equipment for the processing and storage of data, for example, through being transmitted by wire, radio, optical or other electromagnetic means.^[204] While offline services are excluded from this definition,^[205] composite services such as the selling of goods, advertising and gaming do qualify as such.^[206]

Individual request

An ‘individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.^[207] Services transmitting data to an unlimited number of individuals without their individual demand, such as radio broadcasting, television, and teletext are therefore not covered.^[208] On the contrary, video-on-demand or pay-per-view services do qualify as information society services.^[209]

Typical cases

Accordingly, most online services encountered nowadays fulfill the criteria of an information society service. Typical example are:^[210]

• Online legal or health services;
• Online libraries or newspapers;
• Online shopping and booking services;
• Online media-platforms or video games;
• Online search engines and web browsers.

(26) International organisation

An ‘international organisation’ means any organisation or subordinate bodies of such, which are governed either by public international law or set up by an agreement between two or more countries. The classification as international organisation is relevant in terms of the additional rules placed on data transfers, according to Articles 44-50 GDPR. While the Data Protection Directive only regulated data flows to third party countries, the GDPR now extends the applicability of these rules to international organisations as as well.^[211] For more information on the principles and additional safeguards placed on such transfers, please see the commentary on Articles 45-49 GDPR.

While there is no universally accepted or further specified definition of the term coming from the GDPR, the overall definition from the Vienna Convention on the Law of Treaties from 1969,^[212] serves as a source of inspiration for interpreting EU law according to the CJEU.^[213] However, Article 2(1)(i) of the Convention defines international organisation as ‘intergovernmental organisation’, thereby failing to deliver a more specific definition. Moreover, since both options to reach an international organization, either through public international law or multilateral agreements, are not further delineated by the GDPR, a broad and flexible approach to the term is suggested.^[214]

In this regard, most organizations, such as the United Nations (UN), the International Telecommunications Union (ITU), the World Trade Organization (WTO) as well as Interpol and Europol shall fall under the term.^[215] However, these examples are not exhaustive and can be infinitely extended to other Internationals Organizations. Only NGOs, which are usually non-governmental organisations established as private initiatives and governed by domestic member state law, may not qualify as such.^[216]

Decisions

→ You can find all related decisions in Category:Article 4 GDPR

References