GDPRhub structure guide

From GDPRhub
Revision as of 12:19, 12 December 2022 by Kk (talk | contribs)

This short guide will show you how to successfully submit a summary of a DPA/court decision on the GDPRHub. So, you volunteered to summarise a decision – what are the next steps?

  1. Read the original decision. Use an automated translation tool if necessary.
  2. Carefully study the decision and extract the most important parts, focusing on GDPR-related issues. Establish the following:
    • Involved parties;
    • Factual circumstances leading to the proceedings before a DPA/court;
    • Relevant GDPR provisions;
    • The holding of the DPA/court;
    • Measures taken by the DPA against the controller or final decision of the court.
  3. Read over this document as well as the Style Guide in order to have a good idea of how your summaries should be structured and written.
  4. Open the submission form and fill in the sections, taking into account the instructions below.
  5. Enter your (nick)name, submission ID and submit your summary on the GDPRHub. Congratulations!

Summary Section

Summarising a DPA or court decision is not an easy task. While writing a summary, do not focus on merely shortening the document. It is very important to explain to the reader the relevant facts and the holding DPA/court in a concise way. Therefore, make sure to carefully study the text of the decision before filling in the submission form. In case of doubt, contact one of the Channel Managers via MatterMost, as they will always be happy to help you out.

Short summary

The brief (200-250 characters) summary of the GDPRhub decisions is particularly important for the GDPRtoday newsletter. The aim is to automatically extract this text and use it for the weekly newsletter. Therefore, consistency and conciseness are even more important for this section than for the other parts of the summary. Please try to always follow the subsequent structure when drafting the summary, and reserve more detailed sentences for the following sections of the summary. Keep in mind:

  • The short summary should contain the following elements: WHO against WHO for WHAT action according to WHICH provision of the GDPR. You can be flexible with the inclusion and order of the elements depending on each particular case.
  • Convey the key takeaway from the case without, for example, overwhelming a morning commuter reading this on their phone with information.
  • Also please convert the fine amount to euros if in another currency (any online currency converter is fine). Remember to use the € symbol with no space before the amount.

Try to avoid:

  • General statements like (like "X violated the GDPR") as this gives readers very little information.
  • Company names (like "Creditinfo Lánstrausti hf.") unless the company is generally known in Europe (like "Amazon").
  • Say "a controller" (when the type of company is irrelevant) or "a credit ranking agency" (specific type of company).

Example template: The 'X' DPA fined 'Y' €50,000 for violating Article 'Z' GDPR by illegally processing the image of a data subject.

Example: The Spanish DPA imposed a €35,000 fine on an energy company for the violation of Articles 5(1)(f) and 32 GDPR because an employee accidentally sent an email to the data subject with personal data belonging to other clients.

Facts

The Facts section is for describing what happened prior to the DPA/court taking action (unless this decision is already an appeal). Do not include the violation or the fine here. Rather, say something along the lines of "The controller did/did not do X... The data subject filed a complaint because X." You may include the data subject's and/or the controller's arguments here but do not mention what the DPA/court held.

Keep in mind:

  • Try to be as chronological as possible. Rather than starting with the complaint being filed e.g. in October 2021 and then going back to the alleged violations in October 2020, start with what happened in October 2020 and finish with October 2021.
  • Focus on the facts that are relevant to the data protection issue at hand. The decision may concern other areas of law - leave out the facts that are only relevant to these other areas of law but not to data protection law.
  • Establish who was the data subject and who was the controller/processor at the beginning. E.g. "X, an electronics retailer (the controller), took back its customer's (the data subject) used TV." After that, refer to them consistently as the controller and the data subject throughout the whole summary.
  • If it is an appeal, then previous decisions should be summarised here (after you explain what the crux of the matter was).

Holding

The Holding is the "legal principle to be drawn from the decision". It is the rationale for the decision on the core dispute of the case. Indicate what the violation was and why. Explain the reasoning of the DPA with reference to the relevant provisions of the GDPR and national law. You may also include aggravating or mitigating circumstances here, if applicable.

Keep in mind:

  • If the decision concerned other areas of law, only mention them to the extent that it is relevant to data protection law. For instance, whether the controller lawfully collected a debt may be a prerequisite for finding whether the processing was lawful or not, but it is always important to circle back to the fact that the issue is whether the processing was lawful, not whether the debt collection was.
  • If multiple GDPR violations were found, it is usually a good idea to separate it into different paragraphs and start each paragraph with "First, the DPA held.." and "Second, the DPA also.." etc.
  • Do not say e.g. "The DPA held that under Article 21(2) GDPR, data subjects have the right to object to the processing of their personal data for direct marketing purposes." That's what the law itself says, that was not what the DPA held. Instead, you can say that the DPA "noted" or "pointed out" that data subjects have such a right and then follow up with e.g. "Hence, the DPA held in this case that because X, the controller violated Article 21(2) GDPR."
  • Similarly, for factual findings (e.g. that the controller did not erase the data), it is better to say "the DPA found". "The DPA held" should be used in regard to the actual ratio, e.g. "The DPA held that the meaning of 'sex life' under Article 9(1) GDPR encompasses...", "The DPA held that X constitutes a legitimate interest under Article 6(1)(f) GDPR", "The DPA held that Article 15(3) GDPR must be interpreted as.." or "The DPA held that the controller violated Article 6(1) GDPR."

Try to avoid:

  • Restating what the law says without drawing any conclusions for the particular case. Do not only write, e.g. "The DPA recalled that Article 4(1) GDPR defines 'personal data' as any information relating to an identified or identifiable natural person", but also try to explain why the DPA considered that the information in question was considered personal data under Article 4(1) GDPR.
  • Unnecessarily long explanations following the structure of the full decision. The DPA's structure may not always be suitable for the purposes of a GDPRhub summary, e.g. because the decision also concerned other areas of law or because the decision contained a number of procedural issues irrelevant to the GDPR violations.

Comment section

The summary is supposed to be an objective overview of the decision without including personal opinions of the author. You are welcome to add any remarks you have on the decision to the comment section. This is also where you can include references to similar decisions by the DPA, especially if previous decisions have been issued against the same controller.

Note, it is not mandatory but highly encouraged to fill in this section.

Automated translation

In the process of writing a summary it might be very helpful or even necessary to use an automated translation tool (e.g. DeepL). You are more than welcome to do so. However, we strongly discourage copy-pasting entire passages from the automated English translation. Rather, try to rephrase and shorten the given information. Most of the time, this will allow you to convey the key-message in a clear manner and to avoid legal jargon or mistakes in translation.

A helpful tip: if you are not sure about GDPR-related terminology in a specific language, go to the GDPR on EUR-Lex and look for the terms used in the provisions of the GDPR in that specific language.

Example: In the Netherlands, the GDPR is called AVG (= Algemene Verordening Gegevensbescherming).