GDPRhub structure guide

From GDPRhub

Introduction

So, you volunteered to summarise a decision – what are the next steps? This short guide will show you how to successfully submit a summary of a DPA/court decision on the GDPRHub.

  1. Read the original decision. Use an automated translation tool, if necessary;
    • In the process of writing a summary it might be very helpful or even necessary to use an automated translation tool (e.g. DeepL). You are more than welcome to do so. However, we strongly discourage copy-pasting entire passages from the automated English translation. Rather, try to rephrase and shorten the given information. Most of the time, this will allow you to convey the key-message in a clearer manner and to avoid legal jargon or mistakes in translation.
  2. Carefully study the decision and extract the most important parts, focusing on GDPR-related issues. Establish the following:
    • Involved parties, who is the controller (a bank, an e-commerce, a data broker doing this or that, etc.) and who is the data subject (a customer, the recipient of a marketing email, an employee, etc.) so it is clear since the start the real-life relationship between the parties;
    • Factual circumstances leading to the proceedings before a DPA/court (for example, on date X the data subject received a marketing email from the controller; on date Y the data subject submitted an access request and objected to marketing; on date Z the controller replied to the access request but ignored the erasure request; on date W the data subject lodged a complaint raising some issues: (1), (2), (3), etc.; and so on...);
    • Relevant GDPR provisions, not only violations but any other provision somehow instrumental to understand the logic of the case;
    • The holding of the DPA/court. Ideally, the summary follows the structure of the original decision and expresses the DPA's position on each of the different issues arisen during the proceedings. Some of these issues may come from the complaint, some may follow from ex officio powers the DPA or Court have under the GDPR or other national laws;
    • Measures taken by the DPA or the court, if any.
  3. Read over the present document as well as the Style Guide in order to have a good idea of how your summaries should be structured and written.
  4. Open the submission form and fill in the sections, taking into account the instructions below.
  5. Enter your (nick)name, submission ID and submit your summary on the GDPRHub. Congratulations!

Summarising a DPA or court decision is not an easy task. While writing a summary, do not focus on merely shortening the document. It is very important to explain to the reader the relevant facts and the holding DPA/court in a concise way. Therefore, make sure to carefully study the text of the decision before filling in the submission form. In case of doubt, contact one of the Channel Managers via MatterMost, as they will always be happy to help you out.

Short summary

The brief (200-250 characters) summary of the GDPRhub decisions is particularly important for the GDPRtoday newsletter. One aim is to use this text as an overview for the weekly newsletter. Therefore, consistency and conciseness are even more important for this section than for the other parts of the summary. Please try to always follow the subsequent structure when drafting the short summary, and reserve more detailed sentences for the following sections of the summary. Keep in mind:

  • The short summary should contain the following elements: WHO against WHOM for WHAT action according to WHICH provision of the GDPR. You can be flexible with the inclusion and order of the elements depending on each particular case.
  • Convey the key takeaway from the case without, for example, overwhelming a morning commuter reading this on their phone with information.
  • Also please convert the fine amount to euros if in another currency (any online currency converter is fine). Remember to use the € symbol with no space before the amount.

Try to avoid:

  • General statements like (like "X violated the GDPR") as this gives readers very little information.
  • Company names (like "Creditinfo Lánstrausti hf.") unless the company is generally known in Europe (like "Amazon").
  • Say "a controller" (when the type of company is irrelevant) or "a credit ranking agency" (specific type of company).

Example template: The 'X' DPA fined 'Y' €50,000 for violating Article 'Z' GDPR by illegally processing the image of a data subject.

Example: The Spanish DPA imposed a €35,000 fine on an energy company for the violation of Articles 5(1)(f) and 32 GDPR because an employee accidentally sent an email to the data subject with a third party's personal data.

Facts

The Facts section describes what happened prior to the DPA/court decision. Facts should be presented in chronological order.

Keep in mind:

  • Establish who was the data subject and who was the controller/processor at the beginning. E.g. "X, an electronics retailer (the controller), returned its customer's (the data subject) used TV." After that, refer to them consistently as the controller and the data subject throughout the whole summary.
  • Try to be as chronological as possible. Rather than starting with the complaint being filed e.g. in October 2022 and then going back to the alleged violations in October 2020, start with what happened in October 2020 and finish with October 2022:
    1. The data subject submitted an access request...
    2. The controller did not reply...
    3. The data subject filed a complaint...
    4. The DPA started an investigation...
    5. In its defense, the controller argued that (a), (b), (c)...
  • Focus on the facts that are relevant to the data protection issue at hand. The decision may concern other areas of law - leave out the facts that are only relevant to these other areas of law but not to data protection law.
  • Connect the Facts to the Holding. Whatever you include in this section, should prepare the reader for what is coming in the Holding section. In other words, make sure all the facts are well-selected and can explain the Holding.
  • Do not include the violation or the fine or any legal reasoning of the DPA/court in the Facts. That belongs into the Holding section.
  • If it is an appeal or a second instance decision, then previous decisions should be summarised here. The Holding of the first instance proceedings becomes Facts in an appeal.

Holding

The Holding is the core of the decision and shows the DPA/court position on a certain matter. of the DPA with reference to the relevant provisions of the GDPR and national law.

Keep in mind:

  • Ideally, you should explain the DPA/court reasoning on each single matter at stake in separate paragraphs:
    1. First, the DPA held that the controller had violated Article...
    2. Second, the DPA considered that...
    3. Finally, the authority considered that...
  • Do not say e.g. "The DPA held that under Article 21(2) GDPR, data subjects have the right to object to the processing of their personal data for direct marketing purposes." That's what the law itself says, that was not what the DPA held. Instead, you can simply say that the DPA "noted" or "pointed out" that "data subjects have such a right" and then follow up with e.g. "Hence, the DPA held in this case that because of X, the controller violated Article 21(2) GDPR."
  • You may also include aggravating or mitigating circumstances, if the DPA/court does so.
  • Avoid unnecessarily long explanations following the structure of the full decision. The DPA's structure may not always be suitable for the purposes of a GDPRhub summary, e.g. because the decision also concerned other areas of law or because the decision contained a number of procedural issues irrelevant to the GDPR violations.

Comment section

The summary is supposed to be an objective overview of the decision without including personal opinions of the author. You are welcome to add any remarks you have on the decision to the comment section. This is also where you can include references to similar decisions by the DPA, especially if previous decisions have been issued against the same controller. Note, it is not mandatory but highly encouraged to fill in this section.

Retrieved from "https://gdprhub.eu/index.php?title=GDPRhub_structure_guide&oldid=39597"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki