Article 4 GDPR: Difference between revisions

From GDPRhub
Line 520: Line 520:
'''Specific'''
'''Specific'''


In accordance with the principle of transparency from [[Article 5 GDPR|Article 5(1)(b) GDPR]] consent must be provided for specific and legitimate purposes. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them separately.<ref>Recital 32 sentences 5, 6 GDPR.</ref> A blanket consent to all kinds of purposes is therefore not valid. For more information, see the commentary on [[Article 6 GDPR|Article 6(1)(a) GDPR]].
In accordance with the principle of transparency from [[Article 5 GDPR|Article 5(1)(b) GDPR]] consent must be provided for specific and legitimate purposes. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them separately.<ref>Recital 32 sentences 5, 6 GDPR.</ref> A blanket consent to all kinds of purposes is therefore not valid. For example, "''I agree to the processing of my data for different business purposes''" is not specific and therefore invalid.


'''Unambiguous'''
'''Unambiguous'''


Consent must be given unambiguously in the form of clear and affirmative action. Silence, pre-ticked boxes or inactivity should not constitute consent.<ref>Recital 32 sentence 3 GDPR.</ref> This has been stressed through recent case law by the Court of Justice where a pre-checked checkbox which the user must deselect to refuse his or her consent cannot demonstrate active behaviour.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/1 here]).</ref>
Consent must be given unambiguously in the form of clear and affirmative action. This can be checking a box ("opt-in") or a button in the digital environment. Conversely, silence, pre-ticked boxes or inactivity should not constitute consent.<ref>Recital 32 sentence 3 GDPR.</ref> This has been stressed through recent case law by the Court of Justice where a pre-checked checkbox which the user had to deselect in order to refuse their consent cannot show any active behaviour.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here]).</ref> Similarly, actions which are not clearly affirmative include the simple use of a webpage. A user may simply ignore that a webpage uses data in a certain way. This ambiguity extends to assigning certain actions a legal meaning through a disclaimer (e.g. "''by using our webpage you agree to X''"). Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.<ref>EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/1 here]).</ref>
 
Example 1: A user clicks a "''I agree''" button or a person clearly moves into a picture that is taken, which is unambiguous.
 
Example 2: A user is merely vising a pare or walking down a street that is under surveillance, which is ambiguous.


'''Withdrawal'''
'''Withdrawal'''

Revision as of 09:00, 5 October 2021

Article 4: Definitions
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 4 - Definitions


For the purposes of this Regulation:

1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

3. ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;

4. ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

5. ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

6. ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

7. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

8. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

9. ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

10. ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

11. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

12. ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

13. ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

14. ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

15. ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

16. ‘main establishment’ means:

(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;
(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;

17. ‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;

18. ‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;

19. ‘group of undertakings’ means a controlling undertaking and its controlled undertakings;

20. ‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;

21. ‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;

22. ‘supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because:

(a) the controller or processor is established on the territory of the Member State of that supervisory authority;
(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
(c) a complaint has been lodged with that supervisory authority;

23. ‘cross-border processing’ means either:

(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

24. ‘relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;

25. ‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;

26. ‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

Commentary

Article 4 GDPR provides a list of definitions used to further specify relevant notions used throughout the GDPR.

Some definitions are taken from the preceding Directive 95/46/EC, allowing an understanding to build on the already existing terms. Others definitions, however, are newly introduced, modified or complemented with additional elements and therefore require a new interpretation.

In order to avoid linguistic inconsistencies leading to an inconsistent application of the law, it should be noted that the Regulation is legally binding in all official languages of the EU. Therefore, whenever in doubt of the interpretation other language versions may be consulted to identify and resolve discrepancies.

(1) Personal Data

The principal concept of the GDPR is that of ‘personal data’.[1]

Its definition is an extension of the previously existing definition under Article 2 (a) Directive 95/46/EC.[2] The Directive itself derives the definition from Article 2 (a) Convention 108,[3] according to which “personal data” means any information relating to an identified or identifiable individual.

The definition can be divided into the four requirements of (1) ‘any information’ (2) ‘relating to’ (3) ‘an identified or identifiable’ (4) 'individual' requiring their cumulative fulfilment in order to satisfy the notion of personal data.

Any Information

With the expression of ‘any information’, the legislator underlines the willingness to keep the term ‘personal data’ as broad as possible.

In this regard, the German Constitutional Court already in 1983 stated that "Under the conditions of automatic data processing, there is no longer meaningless data."[4] This position is supported by the Commission, stating that "any item of data relating to an individual, harmless though it may seem, may be sensitive",[5] thereby also following the wish of the Council to keep the definition as general as possible.[6] Already the European Court of Human Rights stated that:

“private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings [...] there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life”[7]

Accordingly, personal data includes information both regarding the individual’s private and family life and information regarding the working, economic or social behaviour of the individual regardless of its position or capacity.[8] The Information can either be ‘objective’ such as unchangeable characteristics of a data subject as well as ‘subjective’ in the form of opinions or assessments.[9] It is thereby not necessary for the information to be true, proven or complete.[10]

With regards to the format or medium of the information, data of any type, may it be alphabetical, numerical, (photo)graphical, acoustic, is concerned. This includes information on paper as well as information stored on a computer in binary form or on tape, such as videosurveillance,[11] telebanking,[12] medical prescriptions[13] or even child's drawings.[14]

Relating To

The information needs to relate to an individual. In accordance with the WP29[15] the CJEU assesses this requirement based on three different criteria, i.e. “where the information, by reason of its content, purpose or effect, is linked to a particular person.”[16]

The content of the information is 'relating to' a person when it is about a particular individual.[17] On the contrary, information relating to a bigger group of person without any possibility to single out a individual is not related to a particular person.[18] Similarly, information exclusively linked to objects or events may not be considered as related to a particular person.[19] However, when information on objects also concerns individuals, it can relate to them indirectly. For example, the objective value of a house allows to infer the owners wealth and income situation while car service records allow conclusions towards their driving behaviour.[20] In this regard, also Geodata (like GPS data and coordinates) allows to derive locations and movement patterns of individuals.[21] Especially, considering information on the growing amount of personal devices, wearables and RFID-Chips increasingly becomes related to their carrying person.[22]

Furthermore, the purpose of the information cause a relation to a person where used to change its particular status or behaviour.[23] Accordingly, data is related to an individual where it is used to determine or influence the way a person is treated or evaluated by the processing entity.[24] The purpose is therefore closely connected to the effects of the processing of the information. Especially, the impact on a particular person’s rights and interests determines whether information is related to a person or not.[25] For example, the deployment of a system to determine the position of available taxis would also allow for a monitoring the performance of respective drivers, strongly impacting their employment situation.[26]

Identified or Identifiable

The person to which the information relates must also be identified or identifiable.

A person is “identified” where it can be distinguished or 'singled out' from a bigger group of persons from the information directly.[27] This is usually achieved through several 'identifiers' listed by Article 4(1) GDPR, such as the name, identification number, locations, online identifiers, physical, physiological, genetic, mental, economic, cultural or social identity of a particular person. Other examples are provided by the Working Party 29 like telephone, car registration, social security numbers and passport numbers as well as a person’s height, hair colour, clothing or professional qualities.[28] Note that the name of a person is therefore not necessarily required to identify an individual given such typically more unique identifiers.[29]

A person is “identifiable” when it has not been identified yet but where identification is possible through a combination of available pieces of information.[30] In this regard, Recital 26 sentence 3 GDPR states “to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used [...] either by the controller or by another person to identify the natural person.” Starting point is therefore an absolute (objective) approach that generally considers both information of the controller as well as information from other entities to identify a person. However, the “reasonable likeliness” of such information being used by the controller, narrows the approach to a relative (subjective) one. In this regard, Recital 26 sentence 4 GDPR adds that in order “to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, [...] the available technology at the time of the processing and technological developments.

In other words, while not all of the information required to identify the person needs to be in the hands of the controller[31] the mere hypothetical possibility to identify the person with the information from other entities is not sufficient either.[32] Thus, the assessment requires a case-to-case decision on the reasonable likeliness to identify an individual taking into account state-of-the art tools, available sources, costs, time and effort required to perform the identification. In the case of collecting IP-addresses from visitors of governmental websites, for example, each address relates to an identifiable person given the state’s legal power to access additional information required to link the IP-address to the respective visitor.[33]

Furthermore, taking the increasing accessibility of information through big data technologies into consideration, measures to successfully identify individuals become increasingly reasonable.[34] Especially, where information is stored over a long period of time, persons become more likely to be identified as continuously more pieces of information are added to their data set.[35] In this regard, even pseudonymised data shall explicitly remain considered as information on an identifiable person, according to Recital 26 GDPR. For further information, see also the commentary on Article 4(5) GDPR.

Natural Person

The right to data protection is not restricted to certain nationals or citizens of specific countries[36] but granted to all natural persons according to Article 6 of the Universal Declaration of Human Rights, according to which “Everyone has the right to recognition everywhere as a person before the law”.[37]

Starting from this definition, national legislators usually limit it from to moment of birth to the death of a person.[38] Following up with the GDPR, information relating to deceased persons is then not considered personal data.[39] However, member states may provide alternative rules for the protection of deceased persons[40] which is usually achieved through further data protection, constitutional or personality rights. Another exception can apply for genetic data, where data of deceased persons may be indirectly protected through its relatives.[41] For more information, see also the commentary on Article 4(13) GDPR.

As the definition is limited to natural persons, also information on legal persons is generally not covered by the definition of personal data.[42] However, related provisions from the ePrivacy-Directive,[43] national data protection laws or constitutional laws can grant alternative protection.[44]

Furthermore, information regarding legal persons is also protected by the GDPR where it equals information on natural persons. Especially, where the information to on legal person allows to derive information on the natural person behind, such as a company’s name or mail address, it may be related to a natural person and therefore personal data. This is especially common for smaller businesses, family run or one person enterprises.[45]

Further Examples of Personal Data Subject to the CJEU

  • Name, date of birth, nationality, gender, ethnicity, religion and language[46]
  • Place of birth, nationality, marital status, sex, record of entries into and exits from a country, residence status, particulars of passports issued, previous statements as to domicile, reference numbers issued by an authority, reference numbers used by authorities[47]
  • Municipality of residence, information concerning the earned and unearned income and assets of that person[48]
  • Data which relate both to the monies paid by certain bodies and the recipients[49]
  • Name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies[50]
  • The times when working hours begin and end, as well as the corresponding breaks and intervals[51]
  • Telephone numbers, employment and hobbies[52]
  • Dynamic IP address[53]
  • Video surveillance[54]
  • Written exams[55]
  • Fingerprints[56]

Relevant Recitals

Recital 14: Not Applicable to Legal Persons
The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.

Recital 15: Technologically Neutral Protection
In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation.

Recital 26: Applicable to Pseudonymous Data, Not Applicable to Anonymous Data
The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

Recital 27: Not Applicable to Deceased Persons
This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.

Recital 29: Conditions for Pseudonymisation
In order to create incentives to apply pseudonymisation when processing personal data, measures of pseudonymisation should, whilst allowing general analysis, be possible within the same controller when that controller has taken technical and organisational measures necessary to ensure, for the processing concerned, that this Regulation is implemented, and that additional information for attributing the personal data to a specific data subject is kept separately. The controller processing the personal data should indicate the authorised persons within the same controller.

Recital 30: Online Identifiers
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

(2) Processing

Processing is another central requirement for the application of the GDPR. To be considered as 'processing' the operation in question has to relate to personal data, according to Article 4(1) GDPR. It can either be a single operation or part of a set of sequential operations that together form the processing. Processing can be carried out by full-, semi or non-automated means. It does not require the use of any electronic means and can also be carried out completely manually.[57]

The notion of processing is formulated broadly by the GDPR through an enumeration of several operations:

  • Collection (targeted procurement of single pieces of data), such as offering online registrations or contact forms[58]
  • Recording (continuous procurement of data flows), such as operating surveillance cameras or similar sensors
  • Organisation (systematic ordering that enhance access and evaluation of information), such as the allocation of information within databases
  • Structuring (ordering data according to certain criteria), e.g. in numerically or alphabetical order[59]
  • Storage (saving information to a physical and readable format), such as on information on paper, files, disks, drives or cloud servers[60]
  • Adaptation (adjustments to the content of information according to specific criteria), e.g. updating to information on age, address or income[61]
  • Alteration (changes to the form or content of data), such as corrections, pseudonymisation or anonymization[62]
  • Retrieval (accessing stored information), for example loading information to be displayed on a device[63]
  • Consultation (accessing stored information through targeted searches), such as using search routines to find and display data[64]
  • Use (catching term for all active operations conducted on personal data), e.g. using addresses to deliver orders or mails[65]
  • Disclosure by transmission (“pushing” information to recipients or other third parties), such as sharing customer information with another company
  • Disclosure by dissemination (untargeted distribution of information to unlimited recipients), e.g. in newspapers, radio or tv broadcasting[66]
  • Disclosure by otherwise making available (generally any other form of disclosure), such as providing information on websites or search engines[67]
  • Alignment (comparison of information with other, specific requirements), such as grid investigations or ‘dragnet’ actions
  • Combination (merging information), such as profiling (see also Article 4(4) GDPR)[68]
  • Restriction (marking for limited further processing, see also Article 4(3) GDPR), such as deactivation of information on a website[69]
  • Erasure (irreversible rendering of information impossible to access), such as overwriting data multiple times[70]
  • Destruction (physically destroying the data carrier), such as shredding of files[71]

Note that this list is non-exhaustive and non-selective. The broad notion of processing allows for an extensive application of the GDPR to any kind of operation conducted on personal data. The only major exception is where controller remains completely passive without taking any active action towards information that is imposed by the data subject.[72]

Relevant Recitals

Recital 15: Technologically Neutral Protection
In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation.

(3) Restriction of Processing

The restriction of processing means neither a complete prohibition to process nor an erasure of personal data. It is a limitation for the controller to process certain personal data only for very limited purposes.[73] Usually, restrictions to the processing of personal data occur when the data is not required for its purpose originally collected for any more, but cannot be deleted due to legal obligations.[74]

Technically, the restriction is realized through markers on the data in question that ‘locks’ it from further processing in the future.[75] In terms of automated systems, the restriction shall be ensured by technical safeguards to ensure the personal data is not subject to further processing or changes.[76] In terms of non-automated systems, marking the data is typically not sufficient but requires a relocation to a separate storage with access restrictions.[77]

Restrictive methods could include temporarily moving selected data to another processing system, making it unavailable to users, or temporarily removing published data from a website.[78] In case, the data subject needs to be informed about the restriction of processing of their personal data according to Article 18(3) GDPR.

The restriction of processing can also be initiated by request of a data subject under the requirements of Article 18(1) GDPR or a data protection authority according to Article 58(2)(g) GDPR. For more information see the commentary on these provisions.

Relevant Recitals

Recital 67: Right to Restriction of Processing
Methods by which to restrict the processing of personal data could include, inter alia, temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website. In automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. The fact that the processing of personal data is restricted should be clearly indicated in the system.

(4) Profiling

With the explicit mentioning of profiling the GDPR reacts to recent risks and dangers origination from new forms of data processing. In this regard, it refers to the increased creation, maintenance and use of profiles on personal traits and behaviour of natural persons.[79] These profiles are typically generated through the application of statistical-mathematical measures to personal data that produce predictions on the future behaviour of the data subject.[80]

Profiling does not require knowledge on the civil identity of the data subject.[81] It already occurs in association with online identifiers, such as IP-addresses, cookie IDs or RFID tags.[82] as well as information automatically collected from smart devices, wearables or cars.[83]

The definition provides a non-exhaustive list over common profiling criteria, such as work performance, economic situation, health or more general personal preferences, interests, behaviour as well as locations and movements. Popular examples are therefore

  • Maintaining customer profiles for more efficient marketing[84]
  • Operating systems for credit rating/scoring[85]
  • Operating e-Recruitment Systems[86]

Besides the economic relevance for controllers, profiling takes effect within many other provisions across the GDPR such as its territorial application, see Article 3(2)(b) GDPR, Recital 24 GDPR, or automated decision making, Article 22 GDPR. In any case, the data subject has to be informed on the existence of profiling by the controller.[87]

Relevant Recitals

Recital 24: Applicable if Monitoring EU Data Subjects
The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union. In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

Recital 30: Online Identifiers
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

Recital 60: Information Requirements
The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.

Recital 71: Right not to be Subject to an Automated Decision

The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention. Such processing includes ‘profiling’ that consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her. However, decision-making based on such processing, including profiling, should be allowed where expressly authorised by Union or Member State law to which the controller is subject, including for fraud and tax-evasion monitoring and prevention purposes conducted in accordance with the regulations, standards and recommendations of Union institutions or national oversight bodies and to ensure the security and reliability of a service provided by the controller, or necessary for the entering or performance of a contract between the data subject and a controller, or when the data subject has given his or her explicit consent. In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision. Such measure should not concern a child.

In order to ensure fair and transparent processing in respect of the data subject, taking into account the specific circumstances and context in which the personal data are processed, the controller should use appropriate mathematical or statistical procedures for the profiling, implement technical and organisational measures appropriate to ensure, in particular, that factors which result in inaccuracies in personal data are corrected and the risk of errors is minimised, secure personal data in a manner that takes account of the potential risks involved for the interests and rights of the data subject and that prevents, inter alia, discriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation, or that result in measures having such an effect. Automated decision-making and profiling based on special categories of personal data should be allowed only under specific conditions.

(5) Pseudonymisation

Pseudonymisation is the process of changing personal data in a way that information is either separated or replaced to no longer allow its attribution to a particular data subject without the use of additional information. In order to count as pseudonymised data, this additional information needs to be kept separately and protected through technical and organisational measures to prevent an identification of the data subject through the respective controller.

Examples for the pseudonymisation of personal data include:

  • Replacement of names through ID’s, codes or aliases[88]
  • Encryption or hashing of data[89]
  • Pixelation of video materials[90]

Pseudonymisation has to be distinguished from anonymization. Anonymization is the definite deletion of any information allowing for an identification of the data subject. The GDPR therefore does not apply to anonymized data.[91] Pseudonymisation, on the other hand, generally allows for an identification through the use of additional of information and is therefore invertible.[92]

The distinction between anonymized and pseudonymised data follows the decisive criteria of any reasonable likeliness from Recital 26 sentences 3, 4 GDPR considering the costs, amount of time required and available technology required to identify the data subject. However, considering the recent emergence around big data analytics and data processing capabilities, the process of anonymization becomes increasingly difficult.[93] And while some scholars argue for a ‘subjective anonymisation’,[94] the party undertaking the pseudonymisation is typically able to reassign the data subject.[95]

In any way, the information allowing re-identification of the data subject needs to be stored separately and must secured by technical or organisational measures to prevent identification.[96] In this regard, pseudonymisation helps to reduce risks for the data subjects and helps controllers and processors to meet their obligations from the GDPR.[97]

Relevant Recitals

Recital 26: Applicable to Pseudonymous Data, Not Applicable to Anonymous Data
The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

Recital 28: Pseudonymisation as a Measure of Data Protection
The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection.

Recital 29: Conditions for Pseudonymisation
In order to create incentives to apply pseudonymisation when processing personal data, measures of pseudonymisation should, whilst allowing general analysis, be possible within the same controller when that controller has taken technical and organisational measures necessary to ensure, for the processing concerned, that this Regulation is implemented, and that additional information for attributing the personal data to a specific data subject is kept separately. The controller processing the personal data should indicate the authorised persons within the same controller.

(6) Filing System

The notion of ‘file system’ is an important criterion for the application of the GDPR in terms of non-automated data processing (see Article 2(1) GDPR). It is complementing the approach of technological neutrality followed by the GDPR.

A filing system is characterized through a structured set of personal data accessible to specific criteria. The structure of the information must allow a targeted search to personal data.[98] This is already satisfied, when personal data on a particular person is retrievable.[99]

The data can be stored either within a single or multiple data carriers in a centralized or decentralized manner. Also, a filing system does not require to store information in multiple persons. Already storing structured information on a single person may qualify as filing system.[100]

Examples are:

  • Salary lists on employees[101]
  • Saved letter-correspondence with customers[102]
  • Covid-19-Guest-Lists sorted by date[103]

Relevant Recitals

Recital 15: Technologically Neutral Protection
In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation.

(7) Controller

The controller is the main addressee to obligations formulated by the GDPR. A controllership can be constituted by any natural or legal person, public authority, agency or other body determining the purposes and means of the processing of personal data. This includes decisions on ‘whether’, ‘why’ and ‘how’ the personal data is processed.[104] In this regard, it the controller is to be distinguished from the processor, which is further explained in Article 4(8) GDPR.

The responsibilities of the controller are defined in Article 24 GDPR. Accordingly, the controller has to ensure to be able to demonstrate that any processing of personal data performed on his behalf is in accordance with the GDPR.

In cases of joint decisions on the means and purposes of the processing of personal data, these responsibilities can be shared with different entities. In such cases of a ‘joint’ or ‘co-controllership’ the entities have to determine their respective responsibilities for the processing within an agreement according to Article 26 GDPR. Important, however, is utlimately the factual influence on the processing of the personal data[105] see Recital 79 GDPR. In this regard, the participation and influence on the purposes and means can be very different among the actors involved in the data processing. In order to ensure an effective and complete protection of the data subject in this regard, the concept of ‘controller’ is interpreted broadly in jurisdiction.[106]

For example, a joint controllership is assumed between

  • Search-Engines-Operators and the websites of which information is structured, presented and complemented with advertisements within search results[107]
  • Facebook and Administrators of Fan Pages on its social network[108]
  • Facebook and Websites that integrated a ‘Like Button’[109]

In each case, however, the responsibility for each entity is strictly limited to the part where it has influence on the purposes and means of the processing. This raises especial relevance to clarify the responsibilities of each controller according to Article 26 GDPR. For further information see the commentary on that provision.

Relevant Recitals

Recital 79: Clear Allocation of Responsibilities
The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processors, also in relation to the monitoring by and measures of supervisory authorities, requires a clear allocation of the responsibilities under this Regulation, including where a controller determines the purposes and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller.

(8) Processor

The processor is the next entity facing obligations from several provisions across the GDPR, complementing the concept of the controller explained in Article 4(7) GDPR. Any natural, legal person, public authority, agency or body that processes personal data on behalf of the controller qualifies as a processor.

The most important distinction is, that the processor does not determine the purposes and means of the processing. The processor is bound by the instructions given by the controller, solely carrying out the technical operations for the processing of personal data.[110] Whenever the processor acts in its own interest or processes personal data for further purposes, it qualifies as a controller.[111]

Therefore, it can be difficult to distinguish a ‘joint’ or ‘co-controller’ from a processor. In this regard, the Working Party 29[112] provides some examples as references for controller-processor relationships:

  • Outsourcing of Callcenters for Customer Communications[113]
  • Outsourcing of Mail Services[114]
  • Cloud Hosting and Grid Computing[115]
  • A Separated Entity Specialized in Data Processing within a Group of Companies[116]

When qualifying as a processor, many provisions of the GDPR apply to such entities, such as the required implementation of technical organizational measures (see Article 32 GDPR) as well as the possibility of being fined (see Article 82 GDPR). Of additional relevance is Article 28 GDPR, that shall ensure meeting the requirements of the GDPR through binding data processing agreements. For further information, see also the commentary on Article 28(3) GDPR.

A special form of the processor is the ‘sub processor’ engaged by the processor which requires another processing agreement and authorisation through the controller. For further information see the commentary on Article 28(2),(4) GDPR.

Relevant Recitals

Recital 81: Entrusting a Processor
To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller. The carrying-out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject. The controller and processor may choose to use an individual contract or standard contractual clauses which are adopted either directly by the Commission or by a supervisory authority in accordance with the consistency mechanism and then adopted by the Commission. After the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data, unless there is a requirement to store the personal data under Union or Member State law to which the processor is subject.

(9) Recipient

Another entity defined in the GDPR is the recipient. The notion of the recipient is kept very broadly, i.e. any party which personal data is disclosed to, independently of whether it is a third party or not. Therefore, whenever a controller sends personal data to another entity, this entity classifies as recipient.[117]

The concept of the recipients is primarily relevant in terms of information obligations of the controller. According to Article 13 to 15 GDPR,[118] the controller has to inform the data subject about recipients or categories of recipients of their personal data. The reasoning behind is, that the controller whenever disclosing personal data to another entity, cannot completely take over responsibility for processing on its own any more.[119]

In this regard, it is discussed, whether a processor is also a recipient. One the one hand, the processor is generally acting on behalf of the controller and therefore not a third party.[120] However, the concept of the recipient is completely independent of that of the third-party.[121] With Article 4(8) GDPR the processor received its own legal identity. Considering the additional risk from any disclosure of data, the processor is also to be considered a recipient. Therefore, Article 28 GDPR does not relieve the controller to inform the data subjects about its processors as recipients according to Article 13 to 15 GDPR.[122]

Not considered as recipient are, on the other hand, particular units within a company, such as the staff council or dependent establishments of the controller.[123] The wording of the provision suggests that the entity requires a particular degree of sovereignty in order to count as recipient.[124] Units that are inseparable part of the internal structure of the controller are therefore not to classify as recipients.

Another exception exists regarding independent financial and administrative public authorities, such as tax or customs authorities receiving personal data on a particular inquiry.[125] These inquiries, however, must be in the general interest and in accordance with Union or Member State law.[126]

Relevant Recitals

Recital 31: Not Applicable to Public Authorities With a Legal Obligation
Public authorities to which personal data are disclosed in accordance with a legal obligation for the exercise of their official mission, such as tax and customs authorities, financial investigation units, independent administrative authorities, or financial market authorities responsible for the regulation and supervision of securities markets should not be regarded as recipients if they receive personal data which are necessary to carry out a particular inquiry in the general interest, in accordance with Union or Member State law. The requests for disclosure sent by the public authorities should always be in writing, reasoned and occasional and should not concern the entirety of a filing system or lead to the interconnection of filing systems. The processing of personal data by those public authorities should comply with the applicable data-protection rules according to the purposes of the processing.

(10) Third Party

The concept of a third party complements the previously defined entities. It constitutes a negative delimitation, as any person different from the data subject, controller, processor or any other person authorized to process personal data by the controller. Its notion becomes mainly relevant in terms of evaluating of interests, such as in Article 6 (1)(f) GDPR.[127]

Following from the definition, processors or sub-contractors authorized by the controller for processing are not considered third parties.[128] Also, dependent branches or departments of a controller are not considered third parties, except for where they are located outside the EU.[129] Similarly, internal staff of the controller is not a third party, unless the employee uses personal data for own purposes outside of the employment context.[130] In this case, although considered a third party from the point of the controller, they become controllers themselves for processing the personal data.[131]

Relevant Recitals

Recital 47: Overriding Legitimate Interests
The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

(11) Consent

Consent is the first legal basis mentioned in Article 6(1)(a) GDPR. It manifests the data subject’s agreement to the processing of their personal data. It can be given either by a written, electronic or an oral statement.[132] Examples are ticking a box or actively choosing technical settings that indicate the data subject’s acceptance of the proposed processing of his or her personal data.[133]

The notion of consent within the GDPR is different from its constitutional equivalent in Article 8(2) ECFR. Consent in the GDPR is neither a waiver of fundamental rights, nor a justification for interferences with fundamental rights.[134] Rather, it should be seen as an exception from the general prohibition of processing of personal data under Article 6(1) GDPR.

To ensure that consent is not only a legal fiction, it requires additional and cumulative criteria, regulated within its definition and complemented through Article 7 GDPR. In order for consent to be valid, it has to be freely given, informed, specific and unambiguous. It is the controller’s duty to demonstrate that the data subject has given such consent to the processing of his or her personal data.[135]

Freely Given

Consent has to be freely given, which means that the data subject must have the option to say "no" as well. Whether the option to refuse is genuinely given depends on the processing operation and service as well as the respective roles of the controller and the data subject in a given transaction. For example, if an employee has to consent that his mobile phone is tracked for fraud prevention purposes it is highly unlikely that he or she has a realistic chance to object. In other words, employers, governments or companies (especially those with a dominant market position) will typically be able to force data subjects to consent against their true wishes. In this perspective, Recital 43 GDPR highlights that if there is a "clear imbalance between the data subject and the controller" consent should not be considered a valid legal basis for the processing[136]

Examples where asymmetries of power and bundled consent usually occur are:

  • Relationships with public authorities[137]
  • Employer-employee-relationships[138]
  • Use of major digital services with limited alternatives[139]

Recital 43 and Article 7(4) GDPR further deal with the situation of "bundled consent", i.e. when the performance of a contract (see below) is made conditional on consent, or when consent to different processing operations is bundled into one single yes/no option for the data subject. Take the case of a controller which uses a contract form in which the data subject also agrees that personal data can be sold to a third party (without this being necessary for the performance of the core contract). The individual cannot modify the form and must sign it as it is. In these cases, consent shall not be considered freely given.[140]

Informed

Consent should be sought using clear and plain language and be provided in an intelligible and easily accessible form. The information under Article 13 and 14 GDPR should therefore fully inform the data subject concerning the processing based on such consent. According to the most recent CJEU case-law, however, such information must not only be provided but also “digested” by the data subject.[141] In particular, data subjects must be able to understand the circumstances of the processing of their personal data to estimate the consequences and implications of giving their consent.[142] This seems to give information a more substantive and functional role. Moreover, the information has to be presented in a manner which is clearly distinguishable from other matters, like terms and conditions. For more information, see the commentary on Article 7(2) GDPR.

Specific

In accordance with the principle of transparency from Article 5(1)(b) GDPR consent must be provided for specific and legitimate purposes. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them separately.[143] A blanket consent to all kinds of purposes is therefore not valid. For example, "I agree to the processing of my data for different business purposes" is not specific and therefore invalid.

Unambiguous

Consent must be given unambiguously in the form of clear and affirmative action. This can be checking a box ("opt-in") or a button in the digital environment. Conversely, silence, pre-ticked boxes or inactivity should not constitute consent.[144] This has been stressed through recent case law by the Court of Justice where a pre-checked checkbox which the user had to deselect in order to refuse their consent cannot show any active behaviour.[145] Similarly, actions which are not clearly affirmative include the simple use of a webpage. A user may simply ignore that a webpage uses data in a certain way. This ambiguity extends to assigning certain actions a legal meaning through a disclaimer (e.g. "by using our webpage you agree to X"). Accordingly, it is in practice impossible to ascertain whether a user had actually given their consent by not deselecting the pre-ticked checkbox or had just not noticed the information provided.[146]

Example 1: A user clicks a "I agree" button or a person clearly moves into a picture that is taken, which is unambiguous.

Example 2: A user is merely vising a pare or walking down a street that is under surveillance, which is ambiguous.

Withdrawal

Consent can be withdrawn at any time. Withdrawing of consent shall be as easy as it was giving it. The controller has to inform the data subject on the possibility to withdraw consent prior to the processing. For further information, see the commentary on Article 7(3) GDPR.

Capacity

Generally, consent must be given directly by the data subject or a nominated representative.[147] In the case of minors, the ability to consent is based on the individual cognitive faculty of the data subject.[148] In the online context, Article 8(1) GDPR provides a minimum age of 16 while member states may not reduce that age limit to below 13.

Explicit Consent

The more qualified form of ‘explicit’ consent is required within several other provisions across the GDPR. For more information check the commentary on Article 9(2)(a) GDPR, Article 22(2)(c) GDPR and Article 49(1) GDPR.

Relevant Recitals

Recital 32: Conditions for Consent
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

Recital 33: Consent for Scientific Research
It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.

Recital 42: Proof and Requirements for Consent
Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

Recital 43: Freely Given Consent
In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

(12) Personal Data Breach

A ‘personal data breach’ can be considered as any security incident regarding personal data. In this regard, the breach has to concern the processing personal data (for ‘personal data’ see Article 4(1) GDPR, for ‘processing’ Article 4(2) GDPR). Although the transmission and storage of data are explicitly highlighted, any type of processing the concerned data is sufficient.[149]

Moreover, it requires a security breach within that processing. Such are any failures of technical or organizational safeguards implemented by the controller according to Article 32 GDPR. These failures can either be caused through targeted attacks from other parties or through mishandling of personal data through the controller or persons instructed, such as its employees.[150] Some examples for security breaches are:

  • Hacking-attacks on systems involving personal data[151]
  • Missing access protection to data storages or buildings[152]
  • Sending data to unintended recipients[153]
  • Employees unlawfully distributing data to third parties[154]
  • Accidentally publishing or leaking data on website[155]
  • Loss of physical data carriers[156]
  • Destruction of data storing infrastructure[157]
  • Unrestorable encryption through Ransomware[158]
  • Unlocked storage of employee files[159]

As a consequence, the incident has to lead to an accidental or unlawful destruction, loss, alteration of data or the unauthorised disclosure or access thereof. In any case where personal data is disclosed, it qualifies as personal data breach through the mere possibility to access that data. Any real access to the disclosed data is not necessary.[160]

The notion of a personal data breach becomes especially relevant in terms of notification and communication obligations for controllers to data subjects and DPAs according to Articles 33, 34 GDPR. In this regard, the EDPB can issue further guidelines, recommendations and best practices for handling personal data breaches, Article 70(1)(g)(h) GDPR.[161]

(13) Genetic Data

‘Genetic data’ refers to data on the inherited or acquired genetic characteristics of a natural person which gives unique information about their physiology or health. Accordingly, the data must allow for clear conclusions on the growth, metabolism, appearance, diseases or alike, both already existent or entering in the future.[162] Examples for obtaining such data are given in Recital 34 GDPR, mentioning in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analyses.

The classification as genetic data is becoming relevant in terms of Article 9(1) GDPR, that only allows its processing under strict requirements.[163] This is due to the sensitive character of such data, that allows a unique identification of the data subject and at the same time reveals personal health data[164] on them and biological relatives.[165] Especially in terms of heritage diseases, genetic data therefore carries a high risk of abuse in terms of employment and insurances.[166]

Relevant Recitals

Recital 34: Genetic Data
Genetic data should be defined as personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained.

(14) Biometric Data

‘Biometric data’ means data referring to the physical, physiological and behavioural characteristics of a natural person obtained from specific technical processing allowing for an unique identification. While this generally includes any means to analyse and measure the characteristics of humans[167] the technical processing and unique identification requirements place higher burdens.

The definition itself gives facial images and fingerprints[168] as examples for biometric data. However, the requirement for specific technical processing, ensures that simple pictures or even passport photographs shall not be considered as such.[169] It is the further processing through the application of facial recognition software, that qualifies the extracted information as biometric data. In this regard, also IRIS Scanners, DNS-Comparisons, voice or gait pattern analyses,[170] as well as typing patterns or even handwritten signatures[171] may be considered as biometric data.

Other data, that does not allow an unique identification, such as the body size or blood type, may not be considered biometric data.[172] However, these could then fall under the definition of ‘health data’ that offers similar protection like for biometric data, according to Article 9(1) GDPR.

Relevant Recitals

Recital 51: Protection of Sensitive Personal Data
Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. Such personal data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.

(15) Data Concerning Health

‘Data concerning health’, or simply ‘health data’, means any data related to the physical or mental health of a natural person, especially the procurement of health care services revealing such information. According to Recital 35 GDPR, these include all data referring to the health status of the data subject from the past, current or future. In this regard, any information on diseases, risks, disabilities, their treatment and medical histories of a particular natural person explicitly qualify as health data.[173]

Examples for health data are information about:

  • Addictions to alcohol, drugs or medications as well as the participation in self-help groups[174]
  • Hospitalizations, sick notes and sick payments[175]
  • Information the physical or mental invalidity to work[176]
  • Data from health- or fitness apps on eating or movement patterns, for example from wearables and smartphones[177]

The notion of health data is therefore broader than ‘medicinal data’.[178] Furthermore, it strongly overlaps with the notions of genetic and biometric data.[179] in order to allow a seamless high protection within the scope of Article 9 GDPR.[180] For further information, check the commentary on Article 9 GDPR.

Relevant Recitals

Recital 35: Health Data
Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in Directive 2011/24/EU of the European Parliament and of the Council to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.

Recital 54: Processing of Health Data for Reasons of Public Interest
The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. Such processing should be subject to suitable and specific measures so as to protect the rights and freedoms of natural persons. In that context, ‘public health’ should be interpreted as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council, namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality. Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies.

(16) Main Establishment

If a controller or a processor have establishments in more than one member states, identifying its ‘main establishment’ is the first step to recognize the lead supervisory authority in a cross-border procedure.

It is the role of a data protection authorities to properly define the main establishment of an entity according to objective criteria and subsequently determine the corresponding lead authority.[181] The burden of proof falls on controllers and processors to demonstrate to the relevant supervisory authorities where the relevant processing decisions are taken and implemented. In this regard, however, the Working Party 29 stressed that the GDPR does not permit ‘forum shopping’ and conclusions cannot be based solely on statements by the organisation under review: The supervisory authorities can rebut the controller’s analysis based on an objective examination of the relevant facts, requesting further information where required.[182]

Main Establishment of a Controller

As a general rule, the main establishment of a controller should be the place of its central administration in the Union, or in other words, “the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented”.[183]

Recital 22 GDPR defines an establishment as "the effective and real exercise of activity through stable arrangements". The legal form of such arrangements is irrelevant. According to the CJEU, an establishment depends on “both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned.[184] In this regard, already the presence of a single representative can constitute a stable arrangement when acting with a sufficient degree of stability and the necessary equipment to provide the specific services in the member states concerned.[185]

If a controller’s main establishment is not the place of its central administration in the EU, it is necessary to determine the establishment based on where the effective and real exercise of main decisions on the purposes and means of processing take place.[186] It should depend neither on the place of the processing nor the use of technical means and technologies for processing personal data or processing activities. Instead, to determine the controller’s main establishment the Working Party 29 developed several guiding questions:[187]

  • Where are decisions about the purposes and means of the finally signed off’?
  • Where are decisions about business activities that involve data processing made?
  • Where does the power to have decisions implemented effectively lie?
  • Where is the Director with responsibility for cross border processing located?
  • Where is the controller or processor registered as a company?

A supervisory authority may require from a controller to present additional information proving that its main establishment fulfils criteria envisaged in the GDPR.[188]

Main Establishment of a Processor

Similarly to the rules for controllers, the main establishment of a processor located in multiple member states shall also be the place of its central administration.

However, when there is no central administration in the Union, the rules applying to processors are formulated differently. In such cases, the main establishment of a processor is where the main processing activities take place in a Union’s establishment subject to the obligations under GDPR. This implies that the processing of personal data does not need to be carried out by the relevant establishment itself but only in in the context of its activities within the scope of the GDPR.[189] The meaning of ‘the context of activities’ has already been specified by the CJEU, building on a broad definition of ‘establishment’ and clarifying that already the intention of a member state’s establishment to provide advertisement space for a third country undertaking is processing of personal data in the context of the Union’s establishment.[190]

Following up on the CJEU judgement, the Working Party 29 specified that EU law may apply to data processing activities of controllers or processors established outside the EU “even if the local establishment is not actually taking any role in the data processing itself”.[191] This reasoning can be based on an “inextricable link” between activities of an establishment in the EU and data processing by a non-EU controller or processor.[192]

Cases Involving Both the Controller and the Processor

Recital 36 GDPR explains that “in cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment”. For further information determining the lead and concerned supervisory authorities in cross border contexts involving both the controller and the processor see the commentary on Article 56 GDPR and Article 4(22)-(23) GDPR.

Relevant Recitals

Recital 22: Processing Activities by an Establishment
Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union. Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.

Recital 36: Determination of the Main Establishment
The main establishment of a controller in the Union should be the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union, in which case that other establishment should be considered to be the main establishment. The main establishment of a controller in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements. That criterion should not depend on whether the processing of personal data is carried out at that location. The presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute a main establishment and are therefore not determining criteria for a main establishment. The main establishment of the processor should be the place of its central administration in the Union or, if it has no central administration in the Union, the place where the main processing activities take place in the Union. In cases involving both the controller and the processor, the competent lead supervisory authority should remain the supervisory authority of the Member State where the controller has its main establishment, but the supervisory authority of the processor should be considered to be a supervisory authority concerned and that supervisory authority should participate in the cooperation procedure provided for by this Regulation. In any case, the supervisory authorities of the Member State or Member States where the processor has one or more establishments should not be considered to be supervisory authorities concerned where the draft decision concerns only the controller. Where the processing is carried out by a group of undertakings, the main establishment of the controlling undertaking should be considered to be the main establishment of the group of undertakings, except where the purposes and means of processing are determined by another undertaking.

(17) Representative

Representative are any legal or natural persons established in the union designated by a controller or processor, in accordance with Article 27 GDPR. They are not to be confused with the executive organ of the controller, but they serve as contact persons for data subjects and DPAs towards controllers and processors that are only located outside the Union.

In this regard, the notion of a representative becomes relevant in terms of actors that are falling within the territorial scope of the GDPR without having any establishment within the union (see Article 3(2) GDPR and Recital 80 GDPR).[193] In such cases, the representative becomes the addressee of enforcement proceedings in the event of non-compliance of the respective controller or processor.[194] This way, the representative prevents such actors only established in a third country to become “infeasible” for data subjects and DPA’s within the union. Examples for representatives may therefore be designated employees, lawyers or whole firms established within the union.[195]

The designation shall happen in a written form, containing the a mandate to represent the controller or processor under the obligations from the GDPR.[196] At the same time. the designation of a representative does not exclude the responsibility or liability of the controller or processor themselves.[197] However, it remains unclear how entities not providing a representative may be tackled by the GDPR.[198] This goes especially for public authorities that are excluded from the designation of a representative.[199]

Relevant Recitals

Recital 80: Designated Representative
Where a controller or a processor not established in the Union is processing personal data of data subjects who are in the Union whose processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or to the monitoring of their behaviour as far as their behaviour takes place within the Union, the controller or the processor should designate a representative, unless the processing is occasional, does not include processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing or if the controller is a public authority or body. The representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority. The representative should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf with regard to its obligations under this Regulation. The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation. Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.

(18) Enterprise

An enterprise’ means any natural or legal person, partnerships or associations regularly engaged in economic activities. With this definition, the GDPR introduced a broad concept of the enterprise, irrespective of their size, legal form or interests pursued.[200]

An enterprise requires a regular engagement in economic activities, which means activities intended for a long-term and not only in an occasional manner.[201] Excluded from such activities are completely familiarly or personal activities as part of the household exception, see the commentary on Article 2(c) GDPR.

While the English version of the GDPR distinguishes between the ‘enterprise’ and ‘undertaking’ the translation to other languages merged both into a single notion.[202] This can cause controversy around the assessment of fines according to Article 83 GDPR, which by English language refers to the term of undertaking in accordance with Articles 101, 102 TFEU and thereby not to the definition of Article 4(18) GDPR.[203] In any case, however, the notion is to be understood broadly when enforcing actions or determining fines on a particular entity, see the commentary on Article 83 GDPR.

Relevant Recitals

Recital 13: Harmonisation of Protection and Advantages for Small and Medium-Sized Enterprises
In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. The proper functioning of the internal market requires that the free movement of personal data within the Union is not restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. The notion of micro, small and medium-sized enterprises should draw from Article 2 of the Annex to Commission Recommendation 2003/361/EC.

(19) Group of Undertakings

A group of undertakings consists of a leading (“controlling”) entity and one or more thereof dependent (“controlled”) entities.[204] The central characteristic for a group of undertakings is therefore, that one entity exerts a dominant influence over the others, for example through ownership or financial participation.[205] This is usually the case between a holding company and their subsidiaries.[206]

In this regard, the mere possibility of exercising control over the the other entity is sufficient, a real exercise of such control is not necessary.[207] As long as one entity has the factual power to assert its will over the other entities,[208] they qualify as group of undertakings.[209]

Already two undertakings are sufficient to form a group.[210] However, a controller giving mere instructions to a processor regarding the processing of personal data does not qualify as a group of undertakings.[211]

The classification as a group of undertakings becomes relevant for several provision across the GDPR, such as

  • The joint designation of a Data Protection Officer (Article 37(2) GDPR),
  • The formulation of binding corporate rules (Article 4(20) GDPR, Article 47 GDPR),
  • The data transfer for internal administrative purposes (Article 6(1)(f) GDPR) with Recital 48 GDPR)[212]
  • The determination of the main establishment (Article 4(16) GDPR, Recital 22 GDPR).

However, the notion is to be distinguished from a ‘group of enterprises engaged in a joint economic activity’ also used throughout several provisions across the GDPR. These consist of separate and independent entities, which do not exercise control over each other[213] and therefore cannot designate a single Data Protection Officer or rely on internal administrative data transfers.

Relevant Recitals

Recital 37: Group of Undertakings Controllership
A group of undertakings should cover a controlling undertaking and its controlled undertakings, whereby the controlling undertaking should be the undertaking which can exert a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the power to have personal data protection rules implemented. An undertaking which controls the processing of personal data in undertakings affiliated to it should be regarded, together with those undertakings, as a group of undertakings.

Recital 48: Data Transfers Within a Group of Undertakings
Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data. The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected.

(20) Binding Corporate Rules

Binding corporate rules (short ‘BCR’) are ‘personal data protection policies’ formulated by controllers or processors established on the union for transfers of personal data outside the union within their group. In this regard, binding corporate rules constitute a legal basis to transfer personal data to third countries without an adequacy decision.[214] However, they only serve for for intra-corporate transfers, i.e. between entities of the concerned group of undertakings or enterprises. Transfers to entities outside of these groups are not covered by binding corporate rules.

Furthermore, there are additional requirements regarding the content of such rules. According to Recital 110 GDPR, BCR must include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data. The rules are therefore to be previously approved by the national DPA concerned.[215] Furthermore, the Commission may specify the format and procedures for the exchange of information for these rules.[216] For more information on the requirements and the approval procedure of binding corporate rules, see the commentary on Article 47 GDPR.

Relevant Recitals

Recital 110: Binding Corporate Rules
A group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same group of undertakings, or group of enterprises engaged in a joint economic activity, provided that such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.

(21) Supervisory Authority

Supervisory Authorities or ‘Data Protection Authorities’ (DPAs) are independent public authorities responsible for monitoring the application of the GDPR. The idea is, that such authorities protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union.[217]

Member states can decide to provide only one or multiple DPAs, to reflect their constitutional, organisational and administrative structure.[218] In this regard, DPAs must be public authorities[219] established on the national level.[220] And while each supervisory authority should be competent on the territory of its own member state,[221] they shall cooperate, mutually assisting each other and conduct joint operations with to foster a consistent application of the GDPR in cross border contexts (see Articles 60-63 GDPR and Recital 123 GDPR).

In this regard, DPAs may act independent (see Article 52 GDPR) and shall be provided with several competencies (Articles 55, 56 GDPR), Tasks (Article 57 GDPR) and Powers (Article 58 GDPR). For further information, see the particular commentary on these articles.

Relevant Recitals

Recital 117: Establishment of Independent Supervisory Authorities
The establishment of supervisory authorities in Member States, empowered to perform their tasks and exercise their powers with complete independence, is an essential component of the protection of natural persons with regard to the processing of their personal data. Member States should be able to establish more than one supervisory authority, to reflect their constitutional, organisational and administrative structure.

Recital 122: Competence of Supervisory Authorities
Each supervisory authority should be competent on the territory of its own Member State to exercise the powers and to perform the tasks conferred on it in accordance with this Regulation. This should cover in particular the processing in the context of the activities of an establishment of the controller or processor on the territory of its own Member State, the processing of personal data carried out by public authorities or private bodies acting in the public interest, processing affecting data subjects on its territory or processing carried out by a controller or processor not established in the Union when targeting data subjects residing on its territory. This should include handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal data.

Recital 123: Cooperation Amongst Supervisory Authorities and with the Commission
The supervisory authorities should monitor the application of the provisions pursuant to this Regulation and contribute to its consistent application throughout the Union, in order to protect natural persons in relation to the processing of their personal data and to facilitate the free flow of personal data within the internal market. For that purpose, the supervisory authorities should cooperate with each other and with the Commission, without the need for any agreement between Member States on the provision of mutual assistance or on such cooperation.

(22) Supervisory authority concerned

Qualifying a supervisory authority as ‘concerned’ can result out of three situations as laid out by Article 4(22) GDPR:

  • For a controller or processor, when it is established in a member state of a supervisory authority,
  • for a data subject, when it is residing in the member state of a supervisory authority (likely) substantially affected by the processing of personal data, or
  • where a complaint has been lodged with that supervisory authority.

Controller or Processor Establishment

The DPA is concerned when a controller or processor is established in its jurisdiction. This implies any effective and real exercise of activity through stable arrangements,[222] independent of the form of such arrangements of an actual branch or subsidiary within the union.[223] This broad understanding is fostered by the EUCJ, including any real and effective activity exercised through stable agreements independently of their formalistic approach as an establishment.[224]

(Likely) Substantially Affection of the Data Subject

A substantial affection, although not being further specified from the GDPR, indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.[225] On the contrary, already the likelihood of such is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.[226] In any case, this requires the data subject to reside in the member state of the DPA and therefore to have at least stable links to the state as its permanent habitual center.[227]

Filing a Complaint with the Supervisory Authority

Filing a complaint with a particular supervisory authority makes them ‘concerned’ authority. Since complaints can also be filed with DPAs different from where the data subject resides,[228] the supervisory authority can possibly be concerned without the data subject having a residence within the EU or any (likely) substantial affection. For further information on filing a complaint with a supervisory authority, see the commentary on Article 77 GDPR.

Relevant Recitals

Recital 124: Lead Supervisory Authority and Cooperation
Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union and the controller or processor is established in more than one Member State, or where processing taking place in the context of the activities of a single establishment of a controller or processor in the Union substantially affects or is likely to substantially affect data subjects in more than one Member State, the supervisory authority for the main establishment of the controller or processor or for the single establishment of the controller or processor should act as lead authority. It should cooperate with the other authorities concerned, because the controller or processor has an establishment on the territory of their Member State, because data subjects residing on their territory are substantially affected, or because a complaint has been lodged with them. Also where a data subject not residing in that Member State has lodged a complaint, the supervisory authority with which such complaint has been lodged should also be a supervisory authority concerned. Within its tasks to issue guidelines on any question covering the application of this Regulation, the Board should be able to issue guidelines in particular on the criteria to be taken into account in order to ascertain whether the processing in question substantially affects data subjects in more than one Member State and on what constitutes a relevant and reasoned objection.

(23) Cross-Border Processing

Cross border processing means any processing taking place (i) in the in the context of the activities of establishments of a controller or processor in multiple member states, or (ii) in the context of a single establishment of a controller or processor in the union with (likely) substantially affects to data subjects in more than one member state.

Both conditions are therefore attached to the notion of ‘establishment’, whereas (i) requires the controller or processor to have multiple establishments within different member states of the union, while (ii) only requires the controller or processor to have an establishment within a single member state of the union.[229] In both cases, however, the controller or processor needs to be established in at least one member state.[230]

Processing in the Context of Establishments within Multiple Member States

The notion of establishment is again to be interpreted broadly. It is any effective and real exercise of activities through stable arrangements,[231] independent of the formal declarations as a branch or subsidiary within the union.[232] Furthermore, the processing is not required to be carried out within the establishment itself, but can also happen in the context of its activities. If the establishment in the EU is not directly processing the personal data, an extricable link between the activities of the establishment and the processing is already sufficient.[233] Only remote links to the processing in question may not involve another entity and therefore not form a ‘cross border processing’.[234]

Processing (likely) to Substantially Affect Data Subject in Multiple Member States

A substantial affection, again indicates that that the processing requires a meaningful impact of at least considerable magnitude on the data subject.[235] In this regard, already the likelihood of such is sufficient, an actual affection is therefore not required. However, the substantial affection and the likelihood thereof is decided by the DPA on a case to case basis.[236]

The evaluation of across border processing is relevant for determining the competent lead supervisory authority in situations where the processing would concern such of multiple member states. In this regard, it contributes to the ‘one-stop-shop’-principle, which is further described within the commentary of Article 56 GDPR.

Relevant Recitals

Recital 22: Processing Activities by an Establishment
Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union. Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.

Recital 124: Lead Supervisory Authority and Cooperation
Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union and the controller or processor is established in more than one Member State, or where processing taking place in the context of the activities of a single establishment of a controller or processor in the Union substantially affects or is likely to substantially affect data subjects in more than one Member State, the supervisory authority for the main establishment of the controller or processor or for the single establishment of the controller or processor should act as lead authority. It should cooperate with the other authorities concerned, because the controller or processor has an establishment on the territory of their Member State, because data subjects residing on their territory are substantially affected, or because a complaint has been lodged with them. Also where a data subject not residing in that Member State has lodged a complaint, the supervisory authority with which such complaint has been lodged should also be a supervisory authority concerned. Within its tasks to issue guidelines on any question covering the application of this Regulation, the Board should be able to issue guidelines in particular on the criteria to be taken into account in order to ascertain whether the processing in question substantially affects data subjects in more than one Member State and on what constitutes a relevant and reasoned objection.

(24) Relevant and Reasoned Objection

The ‘relevant and reasoned objection’ refers to situations, in which a supervisory authority concerned[237] objects to a decision draft provided by a lead supervisory authority[238] in terms of a cross-border-processing context.[239] When such objection is exercised by the supervisory authorities concerned, the lead supervisory authority can either follow the objection or submit the matter to the EDPB (see Article 60(4) GDPR, Article 65(4) GDPR).

In order to not overload the EDPB with insufficiently grounded submissions causing delays for decisions,[240] Article 4(24) GDPR introduces a threshold to such objections being ‘relevant’ and ‘reasoned’. In this regard, they have to show an infringement or compliance of the GDPR in opposition to the lead authorities decision draft clearly demonstrating the significance of the risks posed by the draft decision.[241]

An objection is therefore only relevant and reasoned, when it refers to the concrete draft of a decision and does not only contain concerns of general nature.[242] This requires to provide the exact legal reasons for the objection,[243] clearly stating the the non-negligible risks for the data subjects or the free flow of personal data entailed.[244]

The notion of relevant and reasoned objection is to be further developed by the EDPB.[245] For further information on the EDPB’s criteria and procedure on elaborating a relevant and reasoned objection, check the commentary on Articles 60, 65 GDPR.

Relevant Recitals

Recital 124: Lead Supervisory Authority and Cooperation
Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union and the controller or processor is established in more than one Member State, or where processing taking place in the context of the activities of a single establishment of a controller or processor in the Union substantially affects or is likely to substantially affect data subjects in more than one Member State, the supervisory authority for the main establishment of the controller or processor or for the single establishment of the controller or processor should act as lead authority. It should cooperate with the other authorities concerned, because the controller or processor has an establishment on the territory of their Member State, because data subjects residing on their territory are substantially affected, or because a complaint has been lodged with them. Also where a data subject not residing in that Member State has lodged a complaint, the supervisory authority with which such complaint has been lodged should also be a supervisory authority concerned. Within its tasks to issue guidelines on any question covering the application of this Regulation, the Board should be able to issue guidelines in particular on the criteria to be taken into account in order to ascertain whether the processing in question substantially affects data subjects in more than one Member State and on what constitutes a relevant and reasoned objection.

(25) Information Society Service

For the definition on ‘information society service’ the GDPR refers to Article 1(1)(b) of Directive (EU) 2015/1535, on a procedure for the provision of information in the field of technical regulations and of rules on Information Society services. Hereafter, such services are any “normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient”.[246]

‘At a distance’ means that the service is provided without the parties being simultaneously present.[247] Thus, even when using electronic means, services provided within the physical presence of the recipient to the provider are not falling within this definition.[248]

‘By electronic means’ requires, that the service is entirely sent and received via electronic equipment for the processing and storage of data, for example through being transmitted by wire, radio, optical or other electromagnetic means.[249] And while offline services are excluded from these services,[250] composite services such as the selling of goods, advertising and gaming do qualify as such.[251]

An ‘individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.[252] Services transmitting data to an unlimited number of individuals without their individual demand, such as radio broadcasting, television, teletext, are therefore not covered.[253] On the contrary, video-on-demand or pay-per-view services do qualify as information society services.[254]

Accordingly, most online services encountered nowadays fulfil the criteria of an information society service. Typical example are:[255]

  • Online legal or health services
  • Online libraries or newspapers
  • Online shopping and booking services
  • Online media-platforms or video games
  • Online search engines and web browsers

The classification as information society service becomes relevant in several contexts of the GDPR, such as its material scope (see Article 2(4) GDPR),[256] children’s consent (see Article 8(1) GDPR), the right to erasure (see Article 17(1)(f) GDPR) or the right to object (see Article 21(5) GDPR). For further information in this context, see the commentary in the relevant provisions.

Relevant Recitals

Recital 21: Application without Prejudice to the Application of Directive 2000/31/EC
This Regulation is without prejudice to the application of Directive 2000/31/EC of the European Parliament and of the Council, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive. That Directive seeks to contribute to the proper functioning of the internal market by ensuring the free movement of information society services between Member States.

(26) International Organisation

An ‘international organisation’ means any organisation or subordinate bodies of such, which are governed either by public international law or set up by an agreement between two or more countries.

While there is no universally accepted or further specified definition of the term coming from the GDPR, the overall definition from the Vienna Convention on the Law of Treaties from 1969[257] serves as a source of inspiration for interpreting EU law according to the CJEU.[258] However, Article 2(1)(i) of the Convention defines international organisation as ‘intergovernmental organization’, thereby failing to deliver a more specific definition. Moreover, since both options to reach an international organization, either through public international law or multilateral agreements, are not further delineated by the GDPR, a broad and flexible approach to the term is suggested.[259]

In this regard, most organizations, such as the United Nations (UN), the International Telecommunications Union (ITU), the World Trade Organization (WTO as well as Inter- and Europol shall fall under the term.[260] However, these examples are not exhaustive and can be infinitely extended to other Internationals Organizations. Only NGO’s, which are usually non-governmental organisations established as private initiatives and governed by domestic member state law, may not qualify as such.[261]

The classification as international organization is relevant in terms of the additional rules placed on data transfers, according to Articles 44-50 GDPR. While the Data Protection Directive only regulated data flows to third party countries, the GDPR now extends the applicability of these rules to international organizations as as well.[262] For more information on the principles and additional safeguards placed on such transfers see the commentary on Articles 45-49 GDPR.

Further Definitions

Article 4 GDPR is not the only provision defining relevant terms for the GDPR. The regulation contains further articles that directly or indirectly deliver definitions in its context, such as:

For further information check the commentary on the respective Articles.

Decisions

→ You can find all related decisions in Category:Article 4 GDPR

References

  1. European Commission, What is personal data? (accessed on 08.09.2021); its antonym is defined in Article 3(1) of Regulation (EU) 2018/1807.
  2. Council of the European Union, 2012/0011 (COD), 27 January 2012, p. 9 (available here).
  3. Commission of the European Communities, COM (90) 314 final - SYN 287 and SYN 188, 30 September 1990, p. 19.
  4. German Federal Constitutional Court, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83, 484/83, 15 December 1983, margin number 150 (available here).
  5. Commission of the European Communities, COM(90) 314, final, 13 September 1990, p. 19 (available here).
  6. Commission of the European Communities, COM (92) 422 final, 15 October 1992, p. 10 (available here); also cited in WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 4 (available here).
  7. European Court of Human Rights. Amann v. Switzerland [GC], no. 27798/95.
  8. For example as a consumer, patient, employee or customer; see also WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6 f. (available here).
  9. WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6; especially the latter type of information constitutes a significant part of the processing in sectors such as banking, insurances or employment.
  10. WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 6; in fact, the GDPR provides tools to rectify incorrect information, see Article 16 GDPR.
  11. Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available here).
  12. In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available here).
  13. Drug prescription information (name, strength, manufacturer, price, reasons, form, patterns, etc.) as well as information on the prescriber; see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 7 (available here).
  14. A drawing of a child representing her family provides information about the girl's mood and what she feels about different members of her family. The drawing will indeed reveal information relating to the child and also about e.g. her father's or mother’s behaviour, making it personal data; see Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 8 (available here).
  15. WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 ff. (available here).
  16. CJEU,  Nowak, 20 December 2017, margin number 35 (available here).
  17. WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 9 (available here), for example medical records on a patient, or the file of an employee.
  18. Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 8 (C.H. Beck 2018); especially in the case of aggregated and statistical data, see Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 31 (Carl Heymanns Verlag 2018).
  19. Klar/Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 12 (C.H. Beck 2020); e.g. the height of the Mount Everest.
  20. See WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available here).
  21. Ziebarth, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 19 (Nomos 2018); Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 15 (C.H. Beck 2018).
  22. Klar/Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 14 (C.H. Beck 2020); Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 27 (Carl Heymanns Verlag 2018).
  23. WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 10 (available here).
  24. WP29, Working document on data protection issues related to RFID technology, 10107/05/EN WP 105, 19 January 2005, p. 8 (available here).
  25. WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available here).
  26. WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 11 (available here).
  27. WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available here); Klar/Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 18 (C.H. Beck 2020); EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 38 (available here).
  28. WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 f. (available here) with reference to the Commission.
  29. For direct identification, the name of a person usually requires a combination with more information such as a birth date, address or photo to prevent confusion with possible namesakes, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 13 (available here).
  30. WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 12 (available here).
  31. EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 43 (available here).
  32. WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available here).
  33. EUCJ, C-582/14, Breyer, 19 October 2016, margin numbers 47-49 (available here); similar for cookies and device fingerprinting, see Klar/Bühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 36 (C.H. Beck 2020).
  34. Klar/Bühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 1 GDPR, margin number 22 (C.H. Beck 2020).
  35. Therefore requiring anticipation and strict monitoring, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 15 (available here).
  36. Recital 14 sentence 1 GDPR.
  37. Universal Declaration of Human Rights, 10 December 1948 (available here).
  38. However, the rules for unborn children strongly differ between states, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 23 (available here).
  39. See Recital 27 sentence 1 GDPR.
  40. See Recital 27 sentence 2 GDPR.
  41. Especially, where genetic diseases of parents indicate that their children maybe suffer from the same, see WP29, Opinion 4/2007 on the concept of personal data, 20 June 2007, p. 22 (available here).
  42. Recital 14 sentence 2 GDPR.
  43. See Article 1 Directive 2002/58/EC.
  44. See Karg, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 1 GDPR, margin number 43 f. (NOMOS 2019).
  45. Bygrave/Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 111 (Oxford University Press 2020).
  46. CJEU, C-141/12, YS and Others, 17 July 2014 (available here).
  47. CJEU, C-524/06, Huber, 16 December 2008 (available here).
  48. CJEU, C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008 (available here).
  49. CJEU, C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk u.a., 20 May 2003 (available here).
  50. CJEU, C-101/01, Lindqvist, 6 November 2003 (available here).
  51. CJEU, C-342/12, Worten, 30 May 2013 (available here).
  52. CJEU, C-101/01, Lindqvist, 6 November 2003 (available here).
  53. CJEU, C-582/14, Breyer, 19 October 2016 (available here).
  54. CJEU, C-212/13, Ryneš, 11 December 2014 (available here).
  55. CJEU, C‑434/16, Nowak, 20 December 2017 (available here).
  56. CJEU, C‑291/12, Schwarz, 17 October 2013 (available here).
  57. Herbst, in Kühling/Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 4 (C.H. Beck 2020).
  58. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 21 (C.H. Beck 2020); Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 15 f. (NOMOS 2019).
  59. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 23 (C.H. Beck 2020).
  60. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 24 (C.H. Beck 2020); Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 19 (NOMOS 2019).
  61. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 21, (NOMOS 2019).
  62. Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 20 (NOMOS 2019).
  63. Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 22. (NOMOS 2019).
  64. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 27 (C.H. Beck 2020).
  65. Reimer, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 66 (Nomos 2018).
  66. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 32 (C.H. Beck 2020).
  67. Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 26. (NOMOS 2019).
  68. Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 28. (NOMOS 2019).
  69. Recital 67 GDPR.
  70. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 4 2 GDPR, margin number 26 (C.H. Beck 2020); Roßnagel, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 2 GDPR, margin number 30. (NOMOS 2019).
  71. Reimer, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 76 (Nomos 2018).
  72. Pötters, Böhm, in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 9 (Deutscher Fachverlag 2018).
  73. Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 34 (C.H. Beck 2018).
  74. Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 60 (Carl Heymanns Verlag 2018).
  75. Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 61 (Carl Heymanns Verlag 2018).
  76. Recital 67 sentence 2 GDPR.
  77. Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 13 (ottoschmidt 2018).
  78. Recital 67 sentence 1 GDPR.
  79. Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 36 (C.H. Beck 2018) and Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 84 (Nomos 2018).
  80. Helfrich, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 352 (Nomos 2018).
  81. Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 21 (C.H. Beck 2017).
  82. Recital 30 sentence 1 GDPR.
  83. Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 39 (C.H. Beck 2018).
  84. Recital 70 GDPR.
  85. Recital 71 sentence 1 GDPR.
  86. Recital 71 sentence 1 GDPR.
  87. Recital 60 sentence 3 GDPR.
  88. Klar, Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020) and Ziebarth, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 94 (Nomos 2018).
  89. Klar, Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 5 GDPR, margin number 8 (C.H. Beck 2020).
  90. Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 39 (C.H. Beck 2018).
  91. Recital 26 GDPR.
  92. Hullen, Anonymisierung und Pseudonymisierung in der Datenschutz-Grundverordnung, in Privacy in Germany, 05, 2015), p. 210.
  93. Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 72 (Carl Heymanns Verlag 2018).
  94. Ziebarth, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 98 (Nomos 2018).
  95. Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 69 (Carl Heymanns Verlag 2018).
  96. Pötters, Böhm, in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 18 (Deutscher Fachverlag 2018).
  97. Recital 28 sentence 1 GDPR, such as Hansen, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 5 GDPR, margin number 2 (NOMOS 2019); Pötters, Böhm, in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 210 (Deutscher Fachverlag 2018).
  98. Jahnel, in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 2 (Jan Sramek Verlag 2021).
  99. Jahnel, in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021). and CJEU, C-25/17, Johovan Todistajat, 10 July 2018 (available here).
  100. Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 44 f. (C.H. Beck 2018).
  101. Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).
  102. Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 45 (C.H. Beck 2018).
  103. Jahnel, in Jahnel, DSGVO, Article 4 Z 6 GDPR, margin number 5 (Jan Sramek Verlag 2021).
  104. WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 13 (available here).
  105. Hartung, in Kühling/Buchner, DS-GVO BDSG, Article 4 7 GDPR, margin number 13 (C.H. Beck 2020).
  106. CJEU, C‑131/12, Google Spain, 13 May 2014, margin number 34 (available here).
  107. CJEU, C‑131/12, Google Spain, 13 May 2014, margin numbers 32 ff. (available here), according to which activities of search engines play a decisive role in the overall dissemination of those data that otherwise might not have been found on the web page on which those data are published.
  108. CJEU, C‑210/16, Wirtschaftsakademie Schleswig-Holstein, 5 June 2018, margin number 39 (available here), according to which the administrator of a fan page hosted on Facebook through setting parameters on its target audience and promoting its activities takes part in the determination of purposes and means of the processing of personal data of its visitors.
  109. CJEU, C-40/17, Fashion ID, 29 July 2019, margin numbers 64 f. (available here), accordingly, the decision to embed a ‘Like Button’ on a website is made by the operator and enables Facebook to obtain personal data of visitors to its website as well.
  110. Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 56 (C.H. Beck 2018).
  111. Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 32 (ottoschmidt 2018).
  112. WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 6 February 201 (available here).
  113. WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 28 (available here).
  114. WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 25 (available here).
  115. WP29, Opinion 01/2010 on the concepts of "controller" and "processor", 16 February 2010, p. 27 (available here) and Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 30 (C.H. Beck 2017).
  116. Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 76 (C.H. Beck 2018) and Jahnel, in Jahnel, DSGVO, Article 4 Z 8 GDPR, margin number 4 (Jan Sramek Verlag 2021).
  117. EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 September 2020, p. 29 f. (available here).
  118. More precise, Article 13(1)(e) GDPR, Article 14(1)(e) GDPR, Article 15(1)(c) GDPR.
  119. Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 31 (C.H. Beck 2017).
  120. See Article 4(8) GDPR and Article 4(10) GDPR.
  121. See Article 4(9) GDPR, “whether a third party or not“.
  122. Pötters, Böhm, in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 46 (Deutscher Fachverlag 2018).
  123. Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 14 (ottoschmidt 2018).
  124. Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 57 (C.H. Beck 2018) and Regenhardt, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 156 (Nomos 2018).
  125. Article 4(9) sentence 2 GDPR.
  126. Recital 31 sentence 1 GDPR.
  127. See also Article 13(1)(d) GDPR, Article 14(2)(b) GDPR.
  128. Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 42 (ottoschmidt 2018).
  129. Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 83 (C.H. Beck 2018).
  130. EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 02 Septmeber 2020, p.27 (available here); and Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 90 (Carl Heymanns Verlag 2018).
  131. EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 2 September 2020, p. 27 f. (available here); and Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 33 (C.H. Beck 2017).
  132. Recital 32 sentence 1 GDPR.
  133. Recital 32 sentence 2 GDPR.
  134. Klement, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 7 GDPR, margin number 18 (NOMOS 2019).
  135. Article 7(1) GDPR, Recital 42 sentence 1 GDPR.
  136. Recital 43 sentence 1 GDPR.
  137. Recital 43 sentence 1 GDPR, and Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 98 (Carl Heymanns Verlag 2018).
  138. Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 71 (C.H. Beck 2018).
  139. Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 73, 76 (C.H. Beck 2018).
  140. Recital 43 sentence 2 GDPR.
  141. EUCJ, C‑61/19, Orange România, 11 November 2020, margin number 46 (available here).
  142. Bucher, Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin numbers 2, 5 (C.H. Beck 2020).
  143. Recital 32 sentences 5, 6 GDPR.
  144. Recital 32 sentence 3 GDPR.
  145. EUCJ, C‑673/17, Planet49, 1 October 2019, margin number 44, 52 (available here).
  146. EUCJ, C‑673/17, Planet49, 1 October 2019, margin numbers 44, 52 (available here).
  147. Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 65 (C.H. Beck 2018).
  148. Bucher, Kühling, in Kühling, Buchner, DS-GVO BDSG, Article 4 11 GDPR, margin number 67 (C.H. Beck 2020); Ernst, Die Einwilligung nach der Datenschutzgrundverordnung, in Zeitschrift für Datenschutz, 03/07, (2017), p. 111.
  149. Wording: “otherwise processed”.
  150. Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 40 (C.H. Beck 2017).
  151. Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).
  152. Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).
  153. Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).
  154. Mantz, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 180 (Nomos 2018).
  155. Mantz, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).
  156. Mantz, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018); Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).
  157. Mantz, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).
  158. Mantz, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 178 (Nomos 2018).
  159. Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 96 (Carl Heymanns Verlag 2018).
  160. Mantz, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 179 (Nomos 2018).
  161. See EDPB, Guidelines 01/2021 on Examples regarding Data Breach Notification, 14 January 2021 (available here).
  162. Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin numbers 106, 108 (Carl Heymanns Verlag 2018).
  163. Additionally, member states may maintain or introduce further conditions and limitations for the processing of genetic data, Article 9(4) GDPR.
  164. Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017).
  165. Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 41 (C.H. Beck 2017); Kampert, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 182 (Nomos 2018).
  166. Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 96 (C.H. Beck 2018).
  167. Usually through the creation of referential patterns that are than compared with the data subject later for unique identification, see Kampert, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 183 (Nomos 2018).
  168. Also called 'Dactyloscopic data'.
  169. Recital 51 GDPR, “The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person”.
  170. Kampert, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).
  171. Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 111 (Carl Heymanns Verlag 2018).
  172. Kampert, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 185 (Nomos 2018).
  173. Recital 35 sentence 2 GDPR.
  174. Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and Sydow, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).
  175. Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018) and Sydow, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 189 (Nomos 2018).
  176. Petri, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 15 GDPR, margin number 5 (NOMOS 2019).
  177. Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 118 (Carl Heymanns Verlag 2018).
  178. Pötters, Böhm, in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 59 (Deutscher Fachverlag 2018); Ernst, in Paal, Pauly, DS-GVO BDSG, Article 4 GDPR, margin number 108 (C.H. Beck 2018).
  179. See Recital 35, “Personal data concerning health should include […] information derived from the testing or examination of one’s body, substances, such as genetic and biological samples”.
  180. However, in some cases (e.g. the public health sector) sensitive data can be necessary to be processed without the data subjects consent, see Recital 54 GDPR.
  181. WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available here).
  182. WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available here).
  183. WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 5 (available here).
  184. CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 29 (available here).
  185. CJEU, C-230/14, Weltimmo, 1 October 2015, margin number 30 (available here).
  186. WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 6 (available here).
  187. WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available here).
  188. WP29, Guidelines for identifying a controller or processor’s lead supervisory authority, 16/EN WP 244 rev.01, 5 April 2017, p. 7 (available here).
  189. Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 235 (Oxford University Press 2020).
  190. CJEU, C-131/12, Google Spain, 13 May 2014, margin number 55 (available here).
  191. WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available here).
  192. WP29, Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, 76/16/EN WP 179 update, 16 December 2015, p. 4 (available here).
  193. According to which the GDPR applies to controllers outside the union processing personal data on subjects within the union “related to the offering of goods or services“ or “the monitoring of their behaviour”.
  194. Recital 80 sentence 6 GDPR.
  195. Gola, in Gola, DS-GVO, Article 4 GDPR, margin number 106 (C.H. Beck 2018).
  196. Recital 80 sentences 3, 4 GDPR.
  197. Recital 80 sentence 5 GDPR.
  198. Ziebarth, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 204 (Nomos 2018).
  199. Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 52 (C.H. Beck 2017).
  200. Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 127 (Carl Heymanns Verlag 2018).
  201. Eßer, in Auernhammer, DSGVO BDSG, Article 4 GDPR, margin number 129 (Carl Heymanns Verlag 2018).
  202. For example, in German ("Unternehmen"), in French ("entreprise") and in Spanish ("empresa").
  203. See Recital 150 sentence 3 GDPR.
  204. Recital 37 sentence 1 GDPR.
  205. Recital 37 sentence 1 GDPR.
  206. Klabunde, in Ehmann, Selmayr, DS-GVO, Article 4 GDPR, margin number 58 (C.H. Beck 2017).
  207. Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 76 (ottoschmidt 2018).
  208. For example through to have personal data protection rules implemented; see Recital 37 sentence 1 GDPR.
  209. Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 78 (ottoschmidt 2018).
  210. Schreiber, in Plath, DSGVO BDSG, Article 4 GDPR, margin number 80 (ottoschmidt 2018).
  211. Ziebarth, in Sydow, Europäische Datenschutzgrundverordnung, Article 4 GDPR, margin number 221 (Nomos 2018).
  212. Pötters/Böhm, in Wybitul, EU-Datenschutz-Grundverordnung, Article 4 GDPR, margin number 70 (Deutscher Fachverlag 2018), as “group privilege light”.
  213. Feiler, Forgó, EU-DSGVO, Article 4 GDPR, margin number 49 (Verlag Österreich 2017).
  214. See Article 46(2)(b) GDPR.
  215. Article 47(1) GDPR.
  216. Article 47(3) GDPR.
  217. See Article 51(1) GDPR, Recital 117 sentence 1 GDPR and Article 8(3) ECFRCompliance with these rules shall be subject to control by an independent authority”.
  218. Recital 117 GDPR.
  219. Private actors cannot serve as DPAs, see Polenz, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 21 GDPR, margin number 1 (NOMOS 2019).
  220. The European Data Protection Supervisor (EDPS) is therefore not a DPA in terms of the GDPR, see Article 51(1) GDPR and Article 68(3) GDPRThe Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor”. It is adhering to its own Regulation (EU) 2018/1725, functionally overseeing and advising the European Institutions for their compliance with data protection rules.
  221. Recital 112 sentence 1 GDPR.
  222. See Recital 22 sentence 2 GDPR.
  223. Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 275 (Oxford University Press 2020).
  224. EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.
  225. Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 276 (Oxford University Press 2020).
  226. For a list of relevant criteria, see Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).
  227. Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 277 (Oxford University Press 2020).
  228. See Recital 124 sentence 3 GDPR.
  229. Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 282 (Oxford University Press 2020).
  230. Polenz, in Simitis, Hornung, Spieker, Datenschutzrecht, Article 4 23 GDPR, margin number 1 (NOMOS 2019).
  231. See Recital 22 sentence 2 GDPR.
  232. Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 282 (Oxford University Press 2020); and again EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 29; and EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 54.
  233. Google, EUCJ, Google Spain, C-131/12, 13 May 2014, margin number 53, 56; EUCJ, Weltimmo, C-230/14, 1 October 2015, margin number 25.
  234. For example, some commercial activity may be too far removed from the processing of personal data by an entity to bring the data processing non-EU entity within the scope of EU data protection law, see EDPB, Guidelines 3/2018 on the territorial scope of the GDPR, 12 November 2019, p. 7 f. (available here).
  235. Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 284 (Oxford University Press 2020).
  236. For a list of relevant criteria, see Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 285 (Oxford University Press 2020).
  237. See Article 4(22) GDPR.
  238. See Article 56 GDPR.
  239. See Article 4(23) GDPR.
  240. Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 289 f. (Oxford University Press 2020).
  241. Especially regarding the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union, see Article 4(24) GDPR.
  242. Dix, in Kühling, Buchner, DS-GVO BDSG, Article 4 24 GDPR, margin number 1 (C.H. Beck 2020).
  243. Dix, in Kühling, Buchner, DS-GVO BDSG, Article 4 24 GDPR, margin number 1 (C.H. Beck 2020).
  244. Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 290 (Oxford University Press 2020).
  245. See Recital 124 Sentence 4 GDPR and EDPB, Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679, 8 October 2020 (available here).
  246. Article 1(1)(b) Directive (EU) 2015/1535.
  247. Article 1(1)(b)(i) Directive (EU) 2015/1535.
  248. For example, surgeries making use of electronic equipment, electronic catalogues or ticket reservations within a shop, electronic video arcade games, see Annex I(1.) Directive (EU) 2015/1535.
  249. Article 1(1)(b)(ii) Directive (EU) 2015/1535.
  250. See also see Annex I(2.) Directive (EU) 2015/1535.
  251. Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 298 (Oxford University Press 2020); and WP29, Guidelines on consent under Regulation 2016/679, WP259 rev.01, 10 April 2018, p. 24 (available here).
  252. Article 1(1)(b)(iii) Directive (EU) 2015/1535.
  253. See Annex I(3.) Directive (EU) 2015/1535.
  254. EUCJ, C-89/04, Mediakabel, 2 June 2005, margin numbers 38-39 (available here).
  255. Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 301 (Oxford University Press 2020).
  256. Especially in terms of liability rules coming from Articles 12 to 15 of the eCommerce-Directive 2000/31/EC; see also Recital 21 GDPR.
  257. Available here.
  258. CJEU, C-386/08, Brita, 25 February 2010, margin number 42 (available here); see also Bygrave/Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 305 (Oxford University Press 2020).
  259. Bygrave/Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 305 (Oxford University Press 2020).
  260. Bygrave/Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p.306 (Oxford University Press 2020).
  261. Bygrave/Tosoni, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 307 (Oxford University Press 2020).
  262. See Schröder, in Kühling, Buchner, DS-GVO BDSG, Article 4 26 GDPR, margin number 2 (C.H. Beck 2020).