Introduction to European Data Protection

https://iapp.org/resources/gdpr-in-20-minutes/

A. Origins and Historical Context of Data Protection Law

1. Rationale for data protection
a. Increase in the use of computers to process information about individuals which led to concerns of
adverse impact on individual privacy
b. The need for individuals to exercise control over their personal info while allowing free international
flow of information
c. Transborder trade facilitated by the European Economic Community also encouraged a rise in
information sharing
d. Computers in combination with telecommunications devt were opening up opportunities for data
processing on an international scale
2. Human rights laws
a. Right to privacy is a fundamental human right
b. Human Rights Laws
i. Universal declaration of Human Rights
1. Adopted on 10 december 1948 by UN General Assembly; After World War II
2. Recognizes the inherent dignity and the equal and inalienable rights of all
members of the human race in the foundation of freedom, justice and peace in
the world
3. Article 12
a. The right to private life and associated freedoms
b. “No one shall be subject to arbitrary interference with his privacy, family,
home or correspondence nor to attacks upon his honor and reputation.
4. Article 19
a. Right to freedom of opinion and expression
5. Article 29(2)
a. Individual rights are not absolute
b. In the exercise of his rights and freedoms, everyone shall be subject to
such limitations as are determined by law solely for the purpose of
securing due recognition and respect for the rights and freedoms of
others and of meeting the just requirements of morality, public order and
general welfare in a democratic society
ii. European Convention on Human Rights
1. Based on the Human Rights Declaration
2. Entered into force on 3 September 1953
3. Only applies to member states and all council of Europe member states are party
to the treaty
4. Powerful instrument cos of the scope of fundamental rights it protects eg right to
fair trial, freedom of thought etc
5. A system of enforcement established in Stasborough in form of the European
Court of Human Rights
a. Rulings of ECHR are binding on states and can lead to amendment and
change in practice by national govt
b. May give advisory opinions at request of Committee of Ministers of the
Council of Europe
c. Became a single full time Court on Human Rights on Nov 1 1998
6. Articles relevant to privacy
a. Article 8 of ECHR similar to Article 12 of UDHR
i. Everyone has right to respect for private and family life, home
and correspondence
 b. Right to privacy not absolute and necessity and proportionality may
justify breaching individuals’ privacy rights
c. Article 10 - right to freedom of expression
i. Article 10(1)-Everyone has right to freedom of expression
ii. Article 10(2)-Right has limitations : “The exercise of these
freedoms since it carries with it duties and responsibilities may
be subject to formalities, conditions, restrictions, or penalties
are prescribed by law and are necessary in a democratic
society in interests of national security, territorial integrity,
public safety for prevention of disorder or crime, protection of
health and morals, for protection of reputation or rights of
others, preventing disclosure of information received in
confidence, maintaining authority and impartiality of the
judiciary.
3. Early laws and regulations
a. Introduction
i. 1960s-1980s - Austria, Denmark, France, Germany, Luxembourg, Norway, Sweden took
the lead in implementing legislation aimed at controlling use of personal info
ii. Spain, Portugal, Austria - Data Protection, a fundamental right in the Constitution (SPA)
iii. Recommendation 509 on human rights and modern scientific and technological devt -
concern that with emerging technology, national legislation did not adequately protect the
right to respect for private life, family life, home and correspondence
iv. Resolutions 73/22 and 74/29- Had principles regarding protection of personal data in
automated databanks in the private and public sectors.
1. Main objective was for devt of legislation based on these resolutions
2. Need for comprehensive protection of personal information since there was
divergence in laws of member states
b. OECD Guidelines
i. Promotes policies to achieve the highest sustainable economic growth and employment
and rising standard of living in OECD member countries and non member countries
ii. OECD membership extends outside Europe
iii. 1980-developed Guidelines on the Protection of Privacy and Transborder Flows of
Personal data laying out rules for transborder data flows and protection of personal data
1. Developed in close cooperation with the Council of Europe and European
Community and published 23 Sept 1980
2. Not legally binding-basis for legislation in countries with no data protection
legislation
3. OECD ensured guidelines consistent with the Council of Europe Convention for
the Protection of Individuals with regard to Automatic Processing of Personal
Data
4. Objective of Guidelines: Protect privacy and rights and freedoms of individuals
without creating barriers to trade and allowing uninterrupted flow of personal data
across national borders
5. Principles do not differentiate between private and public sectors
6. Principles do not differentiate between personal data gathered electronically or
otherwise (technology neutral)
iv. OECD Guidelines on Protection of Privacy and Transborder Flows of Personal Data that
should be followed by data controllers
1. Collection Limitation
2. Data Quality Principle
3. Purpose Specification
4. Use Limitation
5. Security Safeguards
6. Openness
 7. Individual participation
8. Accountability
9. Other considerations
a. Member states should consider implications for other member countries
of domestic processing and re-export of personal data
b. Reasonable appropriate steps should be taken to ensure security
c. Member states may engage in transborder flows of personal data
unless a country does not substantially observe the guidelines or where
the re-export of personal data would violate domestic privacy legislation
d. Member states may impose restrictions on transfer of info to another
country for which domestic legislation has specific regulations and the
other country has no equivalent protection
e. Member countries should avoid developing laws, regulations and
policies which would create obstacles to transborder flows
c. Convention 108
i. The convention for the protection of individuals with regard to Automatic Processing of
Personal Data
ii. Adopted by the Council of Europe and open to signature to member states of Council of
Europe - 28 Jan 1981
iii. Open to countries outside Europe
iv. Reaffirms Resolution 1973 and 1974; first legally binding international instrument on data
protection while recognizing the need to maintain free flow of personal data for purposes
of international trade
v. Differs from Guidelines since signatories have to apply the principles through their
domestic legislation
vi. Recognized the need for protection of personal information in computerized form
vii. Preamble: Aim is to achieve greater unity between its members and extend safeguards for
everyone’s rights and fundamental freedoms, in particular right to privacy taking into
account increasing transfer across frontiers of personal data undergoing automatic
processing
viii. Consists of three main parts
1. Substantive law provisions
a. Personal information undergoing automatic processing shall be:
i. Obtained and processed fairly and lawfully
ii. Stored for specific and legitimate purposes and not used in a
way incompatible with those purposes
iii. Adequate, relevant and not excessive in relation to purposes
for which they are stored
iv. Accurate and where necessary kept up to date
v. Preserved in a form that permits identification of the individuals
for no longer than is required for the purpose for which the
information is stored
vi. Appropriate security measures taken to protect personal
information
vii. Personal info revealing racial origin, political opinions, religious
or other beliefs as well as personal data that concerns health
or sexual life or criminal convictions may not be processed
automatically unless domestic law allows with safeguards
viii. Individuals must have the right of communication, rectification
and erasure of personal information held
b. There is an exception to provisions only when it is a necessary measure
in a democratic society ( state security or criminal investigation)
reflecting proportionality requirements in Article 6, 8, 10, 11 of the
ECHR
 2. Special rules on transborder data flows
a. Article 12 of Convention - Where transfers of personal info are made
between signatories to convention 108 those countries shall not impose
any prohibitions or require any special authorizations for purpose of
protecting data before transfer is made
b. Derogation only if exporting country has in place specific rules for
certain categories of personal data or of automated personal data files
and importing country does not provide equivalent protection or transfer
is to a country not party to Convention 108
c. Additional Protocol to the Convention for the Protection of individuals
with regard to Automatic Processing of Personal data regarding
supervisory authorities and transborder data flows (2001)
i. Convention 108 had no measures for transfer of personal data
to countries not signatories to the convention
ii. Introduced concept of adequate rather than equivalent
protection
iii. Exceptions
1. Transfer is made in legitimate interests of individual
2. Public interest
3. Transfer is based on contractual clauses
3. Mechanisms for mutual assistance and Consultation between the parties
a. Parties to Convention 108 must designate a supervisory authority to
oversee compliance with data protection law and liaise with supervisory
authorities in other jurisdiction for purposes of consultation and mutual
assistance regarding implementation
4. The need for a harmonised European approach
a. Introduction
i. Guidelines and Convention 108 was to introduce a harmonized approach to data
protection based on international agreement
ii. Implementation of principles left to discretion of member states which led to diverse set of
data protection regimes
b. Data Protection Directive
i. 1976 - European Commission called on European parliament to prepare a proposal for a
directive to harmonize data protection laws
ii. Directives are binding on member states but implementation left to discretion of member
states
iii. European Commission used the principles contained in Convention 108 as basis for the
directive
iv. Main Concern - was the diversity of national approaches and lack of system of protection
at community level which were considered obstacle to completing internal market
v. Directive 95/46/EC on the protection of individuals with regard to the processing of
personal data and on the free movement of such data was created extending protections
to both automated and non-automated data and covering both public and private sectors
1. There were problems with incorrect implementation of directive requiring
rectification and in cases where this was not done, the commission issued
infraction proceedings against member states
2. There were inconsistencies in implementation by member states
3. Inconsistency regarding notifying Data Protection Authorities of processing
details resulting in substantial bureaucracy and cost for businesses especially in
transfer of personal info to countries outside EU
c. Charter of Fundamental Rights
i. Signed by Presidents of European Parliament, Council and Commission on 7 Dec 2000 in
Nice
 ii. Based on EU treaty, Court of Justice of European Case Law (CJEU), European Union
member state’s constitutional traditions, EU Convention on Human Rights
iii. Charter became binding when Treaty of Lisbon came in force in December 2009
d. Articles 7 and 10 reflect provisions of ECHR in Articles 8 and 10
i. Everyone has right to protection of personal data concerning him or her
ii. Such data must be processed fairly for specified purposes and on the basis of consent of
person concerned or some other legitimate basis laid down by law. Everyone has right of
access to data which has been collected concerning him or her and right to have it
rectified
iii. Compliance with the rules subject to control by an independent authority
e. Article 8 of ECHR enshrines the following core values for protection of personal data
i. Processing must be fair
ii. Processing must be carried out for specified purposes
iii. There must be legit basis for processing
iv. Individuals have right to access and rectify personal data
v. There must be a supervisory authority to oversee compliance
f. Limitations to rights must be in accordance with Article 52 which mirrors limitations based on
necessity and proportionality in ECHR
5. The Treaty of Lisbon
a. Signed 13 Dec 2007 by EU member states; effective 1 Dec 2009
b. Amends Treaty on European Union and Treaty Establishing the European Community - renamed
the (Treaty on the Functioning of the European Union or TFEU)
i. Echoes Article 8 of ECHR
ii. Article 16(1) of the TFEU states that everyone has the right to the protection of personal
data concerning him or her
iii. Article 16(2) ensures that all institutions of the EU protect individuals when processing
personal data
iv. A European data protection supervisor regulates compliance with data protection law
within EU institutions; National DPAs may also have authority regarding this
c. Main aim is to strengthen the core structures of the European Union to enable it to function more
efficiently
d. Promotes core values including human dignity, freedom, democracy, equality, the rule of law and
the respect of human rights. Treaty establishing EU did not mention fundamental rights
e. Justice, freedom and security are high priorities and a common legal framework for all EU activities
6. A modernised framework
a. The General Data Protection Regulation
i. Proposal for a comprehensive reform of Directive for single rules across EU by EU
Commission
1. This was a result of fragmented implementation of data protection across the EU
2. Legal uncertainty
3. Widespread public perception that there are significant risks to protection of
personal data in regard to online activity
ii. Negotiation process (Trilogue) btn the European Commission, European Parliament and
Council of EU
iii. Regulation entered into force May 2016 and fully enforceable 25 May 2018
iv. Need for regulation to ensure consistent approach; regulation applies directly to all
member states and no need for it to be transposed into national law
v. GDPR allows member states to enact specific rules in some situations
1. Where there are specific laws in place eg regarding processing of employee data
2. Archiving purposes in public interest, scientific, historical research or statistical
purpose
3. Processing of special categories of personal data
4. Processing in compliance with legal obligation
vi. Key Changes in the GDPR
 1. Stronger rights for individuals online
2. Data privacy be taken into account when new technologies are being developed
(privacy by design and default)
3. Introduction of accountability where organizations show compliance with GDPR
4. Increased powers for supervisory authorities
5. One stop shop concept
6. Broader applicability of regulation to anyone targeting EU Customers
b. Related Legislation
i. Law Enforcement Data Protection Directive
1. Directive for the protection of natural persons with regard to the processing of
personal data by competent authorities for the purposes of the prevention,
investigation, detection or prosecution of criminal offences or the execution of
criminal penalties and on free movement of such data
2. Entered into force 5 May 2016
3. Member states have until 6 May 2018 to transpose the LEDP Directive into
national law
4. Aim is to harmonize rules in place across member states to protect citizens’
fundamental rights whenever personal data are used by criminal law
enforcement authorities; member states can provide high safeguards in national
law to protect rights of data subjects
ii. ePrivacy Directive
1. Sets the rules regarding processing personal data across public communications
networks
2. ePrivacy directive needs to be reviewed and amended to ensure consistency
with GDPR
iii. Evolution of Data Protection Law in the EU PG 19-22

B. European Union Institutions

1. Background
a. Treaty of Lisbon amended Treaty on European Union (EU Treaty) and Treaty establishing the
European Community (Treaty of Rome)
b. Main aim was to reform the structure of the EU Institutions and legislative process and reduce
bureaucracy
c. European Council and European Central Bank granted institutional status - make binding decisions
d. Treaty of Lisbon and Protection of Privacy
i. Made the Charter of Fundamental Rights legally binding on institutions
ii. The Charter establishes applicability of fundamental rights in EU Law
iii. Charter compiles civil, political, economic and social rights of EU Citizens and residents
into one law
iv. Charter enshrines the following
1. Respect for private and family life
2. Protection of personal data
3. Right to good administration
e. Role in relation to data protection
i. Charter provisions binding only when the national law implements EU legislation
ii. Poland and UK- Charter only applies to the extent that rights or principles in it are
recognized in law and practices of Poland or UK; still bound by CJEU case law
iii. Czech Republic has special arrangements regarding application of Charter
2. Council of the European Union
a. Established by the treaties of the 1950’s that laid the foundations of the EU
b. Main decision making body; has a central role in political and legislative decisions
c. Co-legislator with European Parliament
i. Also under Article 9c of the EU treaty, exercises budgetary functions with EU Parliament
ii. Carries out policy making and coordinating functions
 d. Council Meetings attended by one minister from the 28 member states
e. Ministers can commit their governments to Council decisions; accountable to national parliaments
f. Council criticized for being un-democratic and lacking transparency
i. Treaty of Lisbon calls on Council to be open and transparent when it votes on draft
legislative act
g. Composition of Council varies
i. General Affairs, Foreign Affairs, Economic and Financial Affairs etc (13 committees)
h. Working in Practice
i. Legislation is proposed by the Commission before being determined by the Council and
Parliament based on consent, consultation and ordinary procedures
ii. Can amend proposal before adoption
iii. President presides over the Council - Presidency held by member states on basis of equal
rotations to be established by the European Council acting by qualified majority
iv. Concludes international agreements negotiated by the Commission
v. Acts of the Council can take the form of regulations, directives, common actions or
common positions, recommendations, or opinions.
vi. It can also adopt conclusions, declarations or resolutions
vii. Treaties set number of votes to be decided and define cases in which simple majority,
qualified majority or unanimity are required
viii. What Majority entails
1. A proposal from the Commission or the High Representative of the Union for
Foreign Affairs and Security Policy requires at least 55 percent of member states
(means 16 out of 28) representing at least 65% of total EU population
2. In other cases, qualified majority requires 72% of member states (21 out of 28)
and at least 65% of total EU population
3. European Court of Human Rights
a. Based in Strasbourg and founded in 1959
b. Oversees the Convention that protects fundamental rights of people living in contracting states
i. Convention and protocol protect the following rights
1. Right to life, right to fair hearing in civil and criminal matters, right to respect for
privacy and family life; freedom of expression; freedom of thought, conscience
and religion, right to effective remedy; peaceful enjoyment of possessions; vote
ii. Does this by examining complaints ‘applications’ lodged by individuals or states
iii. Delivers judgment when finds a violation which is binding on countries concerned
iv. Judgments are final; if judgment not unanimous, judge may deliver separate opinion
v. If a measure taken by legal or authority of Contracting state violates the Convention and
the internal law of state allows for partial reparation, decision of ECHR must afford just
satisfaction to injured party
c. Not an institution of EU and has no enforcement power
d. Working in Practice
i. Number of judges are equal to that of members of Council of Europe that have ratified
convention
1. 49 including registrar, dp registrar, president, two VP and 3 section Presidents)
ii. Judges do not represent any state; individuals; No two judges may be from same state
iii. Chamber of 7 judges consider each case referred to ECHR
iv. Expenses of Court borne by Council of Europe
v. Jurisdiction
1. Extends to all cases concerning interpretation of Convention
2. Cases referred by contracting states or European Commission of Human Rights
a. States that bring cases
i. A state whose citizen is alleged to be victim of a violation of the
convention
ii. State that referred the case to Commission
 iii. State against which complaint has been lodged; provided state
or states concerned are subject to ECHR jurisdiction or
consented to case being heard by ECHR
b. Nationals of contracting states may lodge an application with ECHR
when they have personally been victim of a violation of rights and
guarantees as set out in Convention and Protocol
c. Violation must have been committed by one of the states bound by the
convention
3. ECHR does not have powers to overrule national decisions or anul national laws
4. No enforcement hence Council of Europe has burden of ensuring compensation
is paid and has responsibility to supervise execution
vi. Data Protection
1. Article 8 protecting right to respect for family life and privacy
a. ECHR has stated that the use of modern electronic equipment to
process personal data should be kept under control to safeguard Art. 8
2. Case law
a. French Cases in 2009; Bouchacourt v France; Gardel v. France; M.B. v.
France
i. Reaffirmed the fundamental role of the protection of personal
data but held that automated processing of data for police
purposes and more specifically inclusion of applicant’s
personal data in national police database of sex offenders was
not article 8 violation
b. 2012 case concerning UK; MM v. United Kingdom
i. Though there might be a need for comprehensive record of
data relating to criminal matters, the indiscriminate and open
ended collection of criminal record data is unlikely to comply
with Article 8
c. 2007 Judgment-Copeland v. UK; monitoring of applicant’s email at work
violation of Article 8
d. Right of Access to Data
i. 1989 case of Gaskin v. United Kingdom
1. Restricting applicant’s access to personal file contrary
to Art. 8
ii. Haralambie v. Romania
1. Article violated by obstacles placed in applicant’s way
when he sought access to secret service file on him
drawn up in Communist rule
4. European Parliament
a. Article 14 of the Treaty of Lisbon - EU Parliament exercises legislative and budgetary functions and
elects President of the Commission
b. Rationale and Functions
i. Members are directly elected by the EU Citizens (Persuasive force in the EU)
ii. Article 9A of EU Treaty responsibilities
1. Legislative development
a. Can’t propose new legislation
b. May invite Commission to submit a proposal to the Council of European
Union
c. May invite Commission to amend existing policies or develop new ones
d. Shares legislative power with the Council and three procedures may
apply
i. Ordinary procedure
1. Parliament and Council must assent to legislation
2. No adoption if opposed by either institution
 ii. Consultation procedure
1. Council must consult Parliament but is not bound by
Parliament’s opinion since Council alone has
legislative power
iii. Consent procedure
1. Important decisions req Parliament’s consent eg
enlargement of the EU
2. Supervisory oversight of other institutions
a. European Commission; can censure the institution and force entire
College of Commissioners to resign
3. Democràtic representation
a. Commission must submit reports to Parliament to ensure democratic
oversight
4. Devt of the budget
a. Shares authority with Council to determine EU budget
b. Both institutions must adhere to annual spending limits laid down in the
multiannual financial perspective
iii. Parliament working in Practice
1. Elections for Members of the European Parliament are held every five years
2. Every adult EU Citizen is entitled to vote and stand as a candidate
3. Has 751 members including the president, represent all 28 EU Countries
4. No member state allowed more than 96 Members of European Parliament
(MEPs); minimum of 6 members per member state
5. MEPs sit in Europe wide political groups and not national blocs
6. Before every vote, the political groups must scrutinize the reports drawn up by
the parliamentary committees and propose amendments to them
7. The Parliament’s work is in two main stages
a. Preparation for the Plenary Session
i. If Commission has proposed a legislative text, MEP will be
appointed rapporteur with the responsibility of preparing a
report on the proposed text; report debated and amended
within committee be4 submitting to parliament in plenary
session. Political groups discuss the paper be4 plenary
session.
b. Plenary Session
i. Parliament amends, examines and votes on proposed
legislation and report prepared by relevant committee. After
text has been revised and adopted in plenary, parliament
adopts its position. Process repeated one or more times.
ii. Voting structure under Treaty of Lisbon changed from absolute
to simple majority
iv. Data Protection Role
1. Has greatest impact on data protection and privacy through its role in the
legislative process of the EU
a. Based on Treaty of Lisbon which enshrines universal right to protection
of personal data and states that legislation will be adopted under the
ordinary legislative procedure
2. Taken a more vocal stance on privacy compared to other institutions
a. EG during the legislative process for reform of European data protection
directive resulting in GDPR and the Law Enforcement Data Protection
Directive (LEDP)
5. European Commission
a. Created in 1965 when the European Coal and Steel Community; European Economic Community
and European Atomic Energy Community merged
 b. Described as Executive Body of EU; Implements EU Decisions and policies
c. The commission has a wide range of responsibilities
i. Promote the general interest of the Union
ii. Ensure application of the Treaties and measures adopted by Parliament
iii. Oversee the application of Union Law under the Court of Justice of the European Union
iv. Execute the budget and manage programmes
v. Exercise coordinating, executive and management functions according to the Treaties
vi. Ensure Union’s external representation with the exception of common foreign and security
policy
vii. Shall initiate Union’s annual and multiannual programming
d. Commission has power to initiate legislation-Union legislative acts may be adopted on basis of
Commission’s proposal
e. Guardian of treaties by monitoring compliance of the institutions, member states, natural and legal
persons
i. Article 226 and 228 of EC Treaty-Commission can take legal and administrative action
including fines against a member state that does not comply with the law
ii. Articles 230 and 232 -Provides necessary supervisory powers over other institutions
f. Working in Practice
i. Each of the 28 member states have its own commissioner
1. Appointed to office with Parliament’s approval
2. Member states cannot influence their decision making
ii. Parliament exercises oversight over the Commission
g. Data Protection
i. Most active EU institution regarding data protection
ii. Responsible for the original 1990 Proposal for a Council Directive Concerning the
Protection of Individuals in Relation to the Processing of Personal Data
iii. Responsible for the 2012 reform of data protection rules in the EU
iv. Has power to adopt adequacy findings by which non member EU states are regarded as
providing an adequate level of data protection
v. Enforces Compliance with the Charter; protects individuals’ rights of privacy and data
protection
6. European Council
a. Treaty of Lisbon gives European Council its institutional status; has no legislative fx
b. Started as an informal body in 1974; gained formal status under Treaty of Maastricht in 1992
c. Comprised of heads of states form 28 member states and President of Commission
i. President is elected by qualified majority for a term of two and a half years; renewable
once
ii. President’s term can be ended in event of an impediment, serious misconduct by bote of a
qualified majority of members
d. Meet 4 times to define EU priorities and set political direction for the EU
e. Working in Practice
i. Decisions made by consensus
ii. Treaties may provide for alternative ways such as unanimity or qualified majority
7. European Court of Justice
a. Based in Luxembourg, set up under Treaty of Paris 1951 to implement European Coal and Steel
Community Legal Framework
b. Judicial body of the EU; makes decisions on issues of EU law and enforces EU decisions when
either Commission or Individual takes action against a member state
c. Became community Court under Rome Treaty of 1957; expanded pwrs with Treaty of Maastricht in
1992
d. Under Treaty of Lisbon, extended jurisdiction of the Court of Justice and renamed it Court of
Justice of the European Union
e. Consists of the Court of Justice (Court of Justice of the European Union) and the General Court
(Court of First Instance/CFI)
 f. Working in Practice
i. Composed of 28 Judges appointed for 6 years; judges elect a President for 3 years
ii. Has 8 advocates general who give reasoned non-binding opinions regarding a case
iii. Has one judge per member state
iv. Jurisdiction to hear
1. Cases brought by Commission or member state against another for failure to
fulfill treaty obligations
2. Actions brought by member states, an EU institution or natural or legal person to
review legality of acts by EU institution
3. Actions by member states, EU institutions or natural or legal person against EU
institutions for failure to act
4. Actions begun in national courts from which references are made for a
preliminary ruling to the ECJ regarding interpretation / validity of EU law
5. Opinions on compatibility of EU international agreements with treaties
6. Appeals on points of law from the CFI
g. Data Protection
i. Has been involved in cases related to data protection
1. Some actions begun in national courts
2. Other actions related to cases brought by the Commission against a member
state
a. Action by Commission against UK-Sept 30 2010; referral to ECJ for not
fully implementing EU rules on confidentiality of electronic
communications
3. Influential cases
a. Google Spain case (right to be forgotten)
i. ECJ holding: Where individuals object and certain
circumstances are met, search engines must remove list of
results that contain info relating to person’s name, links to web
pages published by Third parties, and results containing info
relating to the person
ii. Case also dealt with applicability of EU data protection laws
when controllers have an establishment in EU
b. Digital Rights Ireland case
i. Examined whether Data retention directive was valid in light of
Articles 7,8 and 11 of charter
ii. Held it was invalid
c. ANAF case
i. Personal data may not be transferred btn public admin bodies
of a member state without individuals being informed of
transfer
d. Weltimmo case
i. Minimal activities in a member state can trigger the application
of that member states’ data protection law - dealt with data
protection in cross-border situations in EU
e. Schrems case
i. October 2015, invalidated Safe Harbor

C. Legislative Framework
1. Introduction
a. There were concerns about potential threats to individual privacy as a result of increase in
electronic data processing and the appearance of large mainframe computers
b. European data protection law has been around since 1970
i. German introduced the first regional law in 1970
ii. Sweden introduced the first national law in 1973
2. The Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing
of Personal Data of 1981 (The CoE Convention)
a. First legally binding international instrument in data protection
i. Introduced since member states failed to respond to the Councils 1973/74 resolutions
ii. There was need for reinforcement of the principles in resolutions with a binding
international instrument
b. Nov 1976 and April 1980 committees from Austria, Belgium, France, Germany, Italy, Netherlands,
Spain, Sweden and Switzerland and UK met to craft the draft convention. Text opened for
signature 28 Jan 1981
c. Law was defining moment in development of European data protection law is noteworthy for three
reasons
i. Has principles similar to earlier resolutions and EU Directive like accuracy, security of
personal data and individual access to such data
ii. Ensures protection of individual privacy but recognizes free flow of personal data for
commerce and exercise of public fx
iii. Legally binding document requiring signatory states to implement principles by enacting
national legislation
d. Purpose: Achieve greater unity btn the signatory states and extend the safeguards for individuals’
rights and freedoms; right to privacy taking into account the increasing amount of personal data
undergoing automatic processing and flowing across national borders.
3. The EU Data Protection Directive (95/46/EC)
a. Directive was proposed in 1990 because of the differences in emerging data protection legislation
among EU member states that was impacting free flow of data
b. Also a few states had ratified the convention
c. EU limited in making standing alone human rights laws; set up the Directive as a harmonization
measure under the Treaty of Rome
i. Directive is a human rights law that protects the principles of the internal single market
d. Content
i. Consists of 72 recitals and 34 articles
1. Recitals - have theory and interpretation behind the Directive
2. Articles - Has obligations of member states in implementing Directive
ii. 34 articles arranged in the following chapters
1. General provisions
2. General rules on lawfulness of processing of personal data
3. Judicial remedies, liability and sanctions
4. Transfer of personal data to third countries
5. Codes of Conduct
6. Supervisory authority and working party on protection of individual’s data
7. Community implementing measures
iii. Directive has principles and member states have the discretion to implement them
iv. Compared to COE, Directive also applies to manual data. Under COE this was an option
v. Common phrases in directive include Necessity as grounds for data processing activity to
be lawful and adequacy-no international data transfers to jurisdictions that do not offer
adequate level of protection
e. Key Principles
i. Central requirements to processing of personal data
1. Processed fairly and lawfully
2. Collected for specified and legitimate purpose and not processed in a manner
incompatible with the purposes
3. Adequate, relevant and not excessive
4. Accurate and where necessary kept up to data
5. Processed in accordance with rights of the individual
6. Protected against accidental, unlawful, or unauthorized processing by the use of
appropriate technical and organizational measures
 7. Transferred outside EEA if countries ensure adequate levels of data protection
ii. Applies to
1. data controllers established in the EU OR
2. where there is no establishment but where the organization makes use of data
processing equipment on territory of a member state; org has to appoint
representative to act on its behalf
iii. Mandates establishment of Data Protection AUthority in each member state
iv. Mandates establishment of Article 29 working party composed of rep of the national
DPAs, European Data Protection Supervisor and the Commission
1. Article 29 wp examines operation of Directive and provides opinions and advice
to Commission
f. Review of the Directive and reform of EU Data Protection Framework
i. Comprehensive review of the Directive as a result of divergence of national measures and
practices implementing the directive and resulting impact on businesses and individuals
and developments in technology since the Directive was drafted
ii. Strategy for reform in 2000 with objective of protecting individuals’ data
iii. January 2012 proposals published which included GDPR and Law Enforcement
Protection Directive - Directive on protection personal data processed for purposes of
preventing, detecting, investigating or prosecuting of criminal offenses and related judicial
activities
iv. Changes in the reform
1. Single set of rules on data protection valid across the EU- notification req
removed coz costly for biz
2. Increased responsibility and accountability for data processors
3. Individuals have greater control of their data
4. Easier access for individuals to their own data and ability to transfer from one
controller/service provider to another
5. A right to be forgotten to help people better manage data protection risks online
6. Enabling organizations to deal with a single national data protection authority in
the EU country where there have main establishment in some instances.
Providing individuals with ability to refer matters to DPA in their country even
when data is processed outside EU
7. Ensuring EU rules apply if personal data is handled abroad by companies that
are active in the EU market and offer their services to EU citizens
8. Strengthening of powers of independent national DPAs so they can better
enforce EU rules at home including penalties of 1 million Euros or 2% of global
annual turnover
9. General data protection principles and rules for police and judicial cooperation in
criminal matters as contained in LEDP Directive
g. Commission submitted proposals to European Parliament and EU member states (Meeting in
Council of Ministers) for their review and discussion
h. Negotiation process known as trilogue before agreement was reached
i. 4 May 2016-Official text of the Regulation and Directive published in Official Journal of EU following
political agreements - European Parliament’s Committee on Civil Liberties and the Permanent
Representatives Committee of the Council, European Council and European Parliament
j. New data protection rules agreed upon on 15 Dec 2015.
k. Regulation entered into force 24 May 2016 and will apply from 25 May 2018
l. LEDP Directive entered into force 5 May 2016 and will need to be transposed to national law- 6
May 2018
4. The General Data Protection Regulation (GDPR) and related legislation
a. Introduction
i. Strengthens EU fundamental rights in digital age and facilitates biz
b. Content
i. Comprises 173 recitals and 99 Articles
 ii. 99 Articles arranged in the following ways:
1. General provisions
2. Principles
3. Rights of the data subject
4. Controller and processor
5. Transfers of personal data to third countries or international org
6. Independent supervisory authorities
7. Cooperation and Consistency
8. Remedies, liability and penalties
9. Provisions relating to specific processing situations
10. Delegated acts and implementing acts
11. Final Provisions
c. Main changes in the GDPR that will affect Companies
i. Application of the Law; Directly applicable to member states, no need for national
parliament intervention. Applies to businesses established in EU and applies to both data
controllers and processors
ii. No need for reference to EU-based processing equipment; location of the data subject will
determine whether regulation applies; Applies whenever use of personal data by a biz
relates to offering of goods or services to individuals in EU irrespective of whether
payment is req or monitoring of EU individuals’ behavior in EU
iii. Individuals in control of their data (strengthening of consent in relation to use of data)
1. Consent can’t be bundled with terms and conditions without clearly distinguishing
btn uses of personal data and other matters governed by terms and conditions
2. Consent can be withdrawn at any time and in easy way that should be explained
to individuals before it is obtained
3. Consent req in return for goods/svs or take it or leave it is not freely given
4. Parental consent for use of personal info of those under 16 yrs will be at
discretion of individual member states
iv. New and Stronger rights for individuals
1. More detailed transparency obligations-clear and plain language must be used
and adapted to individual data subject; if data is collected from a child, language
must be such that a child can understand it
2. New rights of data portability, restriction of processing, right to be forgotten and in
relation to profiling
a. People should receive info provided to biz in a structured commonly
used and machine readable format when info was obtained from data
subject based on consent or contract
b. Right to have data transmitted from one biz to another where technically
feasible
3. Retention of existing rights like right to access, rectification, erasure, right to
object. Right to charge a fee regarding access req removed unless request is
manifestly excessive
v. Accountability regime
1. Need to demonstrate compliance and be transparent about compliance
a. Implementation of data protection policies and measures to ensure data
processing activities comply with Reg
b. Data protection by design and data protection by default
c. Record keeping by controllers and processors
d. Cooperation with supervisory authorities by controllers and processors
e. Conduct data protection impact assessment for operations that present
specific risks to individuals due to nature or scope of the operation
f. Prior consultation with DPAs in high-risk cases
g. Mandatory DPO for controllers and processors for public sector and big
data processing activities
 vi. Data Processors’ new obligations
1. Regulation applies to processors unlike Directive
2. Processor may not subcontract a service without Controllers’ consent
3. Requirement for prescriptive terms for contracts with controllers
4. Maintain records of processing
5. Implement appropriate security measures
6. Appoint DPO in certain circumstances
7. Comply with international data transfer req and cooperate with supervisory
authority if req to do so
vii. International data transfers
1. Controllers and processors can transfer data outside of EU if they put in place
appropriate safeguards and on the condition that enforceable rights and effective
legal remedies for individuals are available
2. Measures regarding data transfer
a. Binding Corporate Rules
b. Standard contractual clauses adopted by the Commission
c. Approved code of conduct
d. Approved certification mechanism
e. Contractual clauses authorized by a DPA in accordance with the so
called consistency mechanism
viii. Security
1. Appropriate technical and organizational measures to protect the personal data
that is processed
2. Report data breaches to the DPA within 72 hours of becoming aware of it. If risk
to individuals is high, then individuals must be notified as well.
ix. Enforcement and risk of non-compliance
1. Individuals have a right to compensation for breaches for material or immaterial
damage.
a. Individuals afforded judicial remedies against DPA decisions which
concern them
b. Individuals have a right to compel a DPA to act on a complaint and
against data controllers and processors that breach their rights by failing
to comply with Regulation
c. Rights can be exercised by consumer bodies on behalf of individuals.
2. Sanctions include fines up to 20 million euros or up to 4% of total worldwide
annual turnover as a result of following infringements
a. Basic principles for processing, including conditions for consent
b. Data subject rights
c. Conditions for lawful international data transfers
d. Specific obligations under national laws where permitted by Regulation
e. Orders by DPAs including suspension of data flows
5. Law Enforcement Data Protection Directive
a. Directive complemented by other legal instruments like the specific rules for the protection of
personal data in police and judicial cooperation in criminal matters-2008 Framework Decision
b. Main objectives of the EU Directive for the police and criminal justice sector aimed at protecting
citizens’ fundamental right to data protection whenever personal data is used by criminal law
enforcement authorities
i. Better cooperation btn law enforcement authorities in fight against terrorism and serious
crime in Europe
ii. Better protection of citizens’ data regardless of whether they are victim, witness/criminal
1. Law enforcement processing in EU must comply with principles of necessity,
proportionality and legality and appropriate safeguards for individuals
2. Supervision is ensured by independant national DPAs and effective judicial
remedies provided
 iii. Clear rules for international data flows
6. The EU Directive on Privacy and Electronic Communications (2002/58/EC) – as amended
a. Background
i. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002
concerning the processing of personal data and protection of privacy in the electronic
communications sector (eprivacy directive) replaced the 1997 directive
ii. EU widened existing telecommunication laws to cover all electronic comm including
telecommunications, faxes, internet, email and other communication methods
iii. Directive has specific rules for the communications sector
iv. A result of:
1. advances in digital technologies being introduced in public communications
networks and the need for specific requirements to protect personal data and
privacy of the user
2. Devt in markets and technologies for electronic communication services
3. Need for consistent and equal protection regardless of technologies used
v. Originally proposed by Commission 12 July 2000 and published in Official Journal of EU
31 July 2002; had to be implemented into national law by member states - 31 Oct 2003
vi. Amended again Nov 24 2009 as part of wider reform to EU telecommunications sector
affecting 5 directives
1. Reform was to encourage greater industry competition, consumer choice and
protection including stronger entrenchment of consumers’ right to privacy
b. Content
i. Applies to processing of personal data in connection with provision of publicly available
electronic communication services in public communications networks in the EU
ii. Communications over a private network like computer intranet not covered
iii. Key provisions
1. Providers of publicly available electronic comm are req to take appropriate
technical and organization measures to safeguard security of svs, working with
network provider on which service is based where appropriate to ensure this
security
2. Member states are to ensure confidentiality of command of traffic data generated
by communications unless there are exceptions eg users give consent for
interception and surveillance/authorization by law
3. Prior consent for most forms of digital marketing including emails, SMS and MMS
messaging and faxes but not person to person telephone marketing. Limited
exception for biz to send marketing to existing customers for similar products and
services on opt-out basis
4. Processing of traffic and billing data subject to restrictions eg user of publicly
available electronic communication has certain rights related to itemised billing,
call-line identification, directories, call forwarding and unsolicited calls
5. Location data processed if data is made anonymous or processed with consent
of users and for duration necessary for provision of value added service
6. Subscribers informed b4 being included in any directory
iv. Relevant measures can be adopted to ensure that terminal equipment is constructed in a
way that is compatible with right of users to protect and control the use of their personal
data. No imposing mandatory technical req that might impede placing of equipment on
market and circulation of such equipment in and between Member states.
c. Amendments
i. The amendments were to be implemented by member states by end of May 2011
ii. Include:
1. Introduction of mandatory notification for personal data breaches by electronic
communications service providers to both national authority and relevant
individual in cases where breach is likely to adversely affect personal data or
privacy of a subscriber or individual
 2. A right for individuals and organizations (internet service providers) to bring legal
proceedings against unlawful comm
3. Storing of information or gaining access to info already stored in terminal
equipment of a subscriber (cookie) is allowed on condition user gives consent
after being provided with clear and comprehensive info
a. Exceptions:
i. Sole purpose of carrying out the transmission of a
communication over electronic comm network
ii. Strictly necessary for provision of an information society
service explicitly req by subscriber or user
iii. Not all member states have been able to transpose the cookie consent req into national
law
iv. Also consent is not defined in the ePrivacy Directive and therefore implied consent is used
by the Directive (should be freely given, specific, and informed indication of individual’s
wishes
d. Reform
i. Legislative proposal for new ePrivacy Directive on 10 Jan 2017
1. Why the Need for Reform
a. Needed to harmonize the specific privacy framework related to
electronic communication within the EU
b. Ensure consistency with the General Data Protection Regulation
ii. Key features
1. Wider application - applies to all providers of electronic comm (messaging svs on
mobile phone, email and voice providers)
2. Single set of rules for electronic comm
3. Confidentiality of electronic comm; unless consent from user/safeguard public
interest
4. Consent req to process commmunication content and metadata; there is need for
anonymisation of content or deletion if users have not given consent unless the
data is for billing. Includes time of call, location, duration, websites visited
5. New biz opportunities: Traditional telecom operators need more opportunities to
use data and provide additional svs eg producing heat maps to help public
authorities know presence of individual and develop new infrastructure
6. Revised rules on cookies
a. BE4 overload of consent requirment for internet users. Now Directive
gives users more control of settings, providing easy way to accept or
refuse tracking of cookies and other identifiers in case of privacy risks
b. No consent for non-privacy intrusive cookies that improve internet
experience(remember shopping cart history, filing in online forms over
several pages or for login info for same session)
c. No consent for cookies set by visited website counting number of
visitors to website
7. Protection against spam
a. Ban of unsolicited electronic comm by any means (email, SMS and also
phone calls if users have not been given consent)
b. Soft opt-in for users to object is retained for marketing of similar
products of services
c. Member states may opt for domestic legislation giving consumers right
to object to reception of voice to voice marketing calls by registering
their number on a do not call lists. Marketing callers need to display
phone number or use special prefix that indicates a marketing call)
8. Enforcement
a. Responsibility of national DPAs
e. Consequences of non-compliance
 i. Breaches of notice and consent, default privacy settings, publicly available directories and
unsolicited communication = fines of up to 10 mil or 2% of total worldwide annual turnover
whichever is higher
ii. Breaches of confidentiality, permitted processing of electronic comm data and time limits
for erasure of data = fines of up to 20 mil Euros or 4% of total worldwide annual turnover
whichever is higher
f. Proposal to introduce legitimate interests as basis for further processing of data
g. Comes into force May 2018
7. The EU Directive on Electronic Commerce (2000/31/EC)
a. The Electronic Commerce Directive 2000/31/EC is a European Union Directive of the European
Parliament and of the Council from 8 June 2000. It regulates certain legal aspects of information
society services in the Internal Market, in particular electronic commerce and mere conduit.
i. Mere conduit: Member States shall ensure that the service provider is not liable for the
information transmitted, on condition that the provider:
1. does not initiate the transmission
2. does not select the receiver of the transmission
3. does not select or modify the information contained in the transmission.
a. The acts of transmission and of provision of access include the
automatic, intermediate and transient storage of the information
transmitted in so far as this takes place for the sole purpose of carrying
out the transmission in the communication network, and provided that
the information is not stored for any period longer than is reasonably
necessary for the transmission.
ii. Caching: Where an information society service is provided that consists of the
transmission in a communication network of information provided by a recipient of the
service, Member States shall ensure that the service provider is not liable for the
automatic, intermediate and temporary storage of that information, performed for the sole
purpose of making more efficient the information's onward transmission to other recipients
of the service upon their request, on condition that:
1. The provider does not modify the information
2. The provider complies with conditions on access to the information
3. The provider complies with rules regarding the updating of the information,
specified in a manner widely recognized and used by industry
4. The provider does not interfere with the lawful use of technology, widely
recognized and used by industry, to obtain data on the use of the information
5. The provider acts expeditiously to remove or to disable access to the information
it has stored upon obtaining actual knowledge of the fact that the information at
the initial source of the transmission has been removed from the network, or
access to it has been disabled, or that a court or an administrative authority has
ordered such removal or disablement.
iii. Hosting: Where an information society service is provided that consists of the storage of
information provided by a recipient of the service, Member States shall ensure that the
service provider is not liable for the information stored at the request of a recipient of the
service, on condition that:
1. the provider does not have actual knowledge of illegal activity or information and,
as regards claims for damages, is not aware of facts or circumstances from
which the illegal activity or information is apparent
2. the provider, upon obtaining such knowledge or awareness, acts expeditiously to
remove or to disable access to the information.
b. Its aim is to provide legal certainty for business and consumers.
c. It establishes harmonised rules on issues such as the transparency and information requirements
for online service providers, commercial communications, electronic contracts and limitations of
liability of intermediary service providers.
 d. In order to encourage e-commerce, this Directive requires member states to remove legal
impediments to the enforceability of electronic contracts.
e. Among other things, this Directive
i. Makes clear that click-through agreements are enforceable and require that electronic
contracts satisfy substantive requirements imposed on traditional written contracts.
ii. Requires an exemption from liability for intermediaries which act as a mere conduit of
information from third parties and limits service providers’ liability for other intermediary
activities such as the storage of information.
iii. Requires that commercial e-mail communications be clearly identifiable.
iv. The provision of online services by regulated professions (such as lawyers or
accountants) is permitted and national rules on online advertising may not prevent
professions from operating websites
v. Article 14 forms the basis for notice and take down procedures by online hosts under EU
law.
8. European data retention regimes
a. Data retention underpinned by legal framework est by Directive 2006/24/EC of European
parliament and of Council of Europe of 15 March 2006 on the retention of data generated or
processed in connection with provision of publicly available electronic comm services or of public
communication networks
b. Designed to align rules on data retention across EU member states to ensure availability of traffic
and location data for serious crime and antiterrorism purposes.
c. Introduced when there was heightened national security concerns about threat of international
terrorism; faced criticism for scope and whether it was a measured response to perceived threat.
d. 2014 CJEU ruled Directive Invalid that it was disproportionate in scope and incompatible with rights
to privacy and data protection under Charter of Fundamental Rights
e. Directive no longer part of EU law; member states retain competence to adopt own national
retention laws under Article 15(1) of the ePrivacy Directive provided that laws comply with
fundamental rights principles of the CJEU ruling
f. Belgium, UK and Finland introduced national data retention laws at country level
9. Impact of Directives on member states
a. Lack of consistency and timely implementation under each directive; need for harmonization
i. Under eprivacy Directive, member states used different pieces of legislation to implement
ii. This created practical challenges for multinational org with data processing activities in
several states where compliance obligations were conflicting in areas such as
notifications, international data transfers and direct marketing requirements
b. Enforcement
i. Time limit to implement directive otherwise Commission takes action against member
state for failure to properly implement.
1. 2010 Commission announced that it will be taking UK to CJEU for failure to
properly implement provisions in Data Protection Directive and ePrivacy Directive
2. 2010 Commission sued Denmark, France, Germany, Ireland, Luxembourg and
Netherlands for failing to implement directive on time; dropped actions against all
except the Luxembourg
ii. Some provisions of Directive have a direct effect which means individuals could rely on
those provisions to bring actions against the governments in national courts
iii. Member states and their country must interpret laws in light of text and purpose of
directive even though it has not been implemented
c. Direct effect of the Regulation
i. Directly applicable in member states unlike directive; no need for further implementation at
national level
ii. When GDPR becomes law on 25 May 2018, national data protection acts that fall within
scope of Regulation will cease to be relevant. On paper Reg will provide consistency but
in reality will need to take into consideration national approaches
II. European Data Protection Law and Regulation
A. Data Protection Concepts
1. Personal data
a. Includes any information relating to an identified or identifiable natural person
b. Any information (consider nature, content and format)
i. Nature
1. Any statement about a person both objective (Rita has a JD) and subjective (she
is a good worker)
2. Info does not need to be true to be considered personal data
ii. Content
1. Includes an individual’s private life and information regarding any activity taken
by the person either in the professional or public sphere eg phone number at
work; home address; personal phone number
2. Includes online identifier, such as IP address, cookie or radio frequency tag used
to create a person’s profile and identify them demonstrating breadth of personal
data content
iii. Format
1. Includes information in any form automated and manual as well if for part of filing
system eg paper in a hospital clinic history, computer memory that records
electronic bank records of person, tape kept by a travel agent customer svs dept
that records telephone calls for training purposes, images on recorded closed-
circuit tv
c. Relating to
i. Information must be about a person
ii. Info relating to objects, processes or event may constitute personal info-eg individual
owning a car (object); technical info about mileage may be person info if processed for
issuing a bill to owner of car; info about car value personal data if considered an asset to
determine whether individual has to be pay tax
iii. To relate to person, three elements are needed: content, purpose or result (do not need
to apply cumulatively)
1. Content - when info is about an individual
2. Purpose - when info processed to evaluate, consider/analyze individual in certain
way
3. Result- Processing of certain info has impact on individual rights and interests
d. Identified or Identifiable
i. Person is identifiable when although person has not been identified yet, it is possible to do
so
ii. Person may be identifiable because info combined with other pieces of info whether
retained by data controller or not will allow individual to be distinguished from another eg
web traffic surveillance tools that make it possible to identify behavior of machine and
behind the machine the user
iii. Where possibility of singling out an individual does not exist or is negligible, person should
not be considered identifiable and information is not personal data
iv. CJEU Case: Patrick Breyer v. Brundesrepublik Deutschland: Dynamic IP addresses are
capable of being personal data if the person could be indirectly identified if IP addresses
are combined with data held by internet service providers such as time of connection and
pages visited by website (where a TP holds info likely to be used to identify website user
when put together with dynamic IP addresses held by provider of website, those IP
addresses are personal data.)
1. Case whereby individual challenged the collection and use of device dynamic IP
addresses to allow data on website to be transferred to correct recipient where a
new number is assigned to device for each connection from websites run by
German federal govt
e. Natural person
 i. Only applies to natural persons regardless of country of residence; not applicable to
personal data of deceased persons or organizational data
2. Sensitive personal data
a. This includes special categories of data that merit specific protection since by the nature of their
processing, they could create significant risks to individuals’ fundamental rights and freedoms
i. Includes personal data revealing
1. Racial or ethnic origin
2. Political opinions
3. Religious or philosophical beliefs
4. Trade union membership
5. Processing of genetic data
a. Personal data relating to inherited or acquired genetic characteristics of
a natural person which give unique information about the physiology or
the health of that natural person and which result in particular from an
analysis of a biological sample from the natural person in question
6. Biometric data for purpose of uniquely identifying a natural person
a. Photographs are covered under this category whereby they are
processed through a technical means allowing the unique identification
or authentication of a natural person
7. Data concerning health
a. Data relating to physical and mental health of natural person including
provision of health care services which reveal info about his or her
health status; includes data pertaining to health status of individual
which reveal info about past, current, or future physical or mental health
of person and includes
i. Information about natural person collected in course of
registration for or provision of health care services
ii. A number, symbol, or particular assigned to natural person to
uniquely identify natural person for health svs
iii. Info derived from testing or examination of a body part or
bodily substance including from genetic data/biological
samples
iv. Any info on for example, a disease, disability, disease risk,
medical history, clinical treatment, physiological or biomedical
state of data subject independent of its source for example
from a physician or health professional, a hospital, a medical
device or in vitro diagnostic test
8. Data concerning individual’s sex life or sexual orientation
3. Pseudonymous and anonymous data
a. Regulation does not apply to Anonymous info whereby info does not relate to identified or
identifiable person or personal data rendered anonymous such that data subject is no longer
identifiable
i. This includes aggregation of data for statistical purposes; context matters - if sample size
is small, could lead to identification of individuals
b. Pseudonymisation data is processing of data in such a manner that personal data can no longer be
attributed to specific data subject without use of additional info, provided that addition info is kepy
separately and subject to technical and organizational measures to ensure that the personal data is
not attributed to identified or identifiable person
i. Considered by GDPR as important safeguard to achieve data minimization for privacy
4. Processing
a. Processing is any operation or sets of operations performed on personal data or on sets of
personal data whether or not by automated means such as collection, recording, organization,
structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by
 transmission, dissemination or otherwise making available alignment or combination, restriction,
erasure or destruction
b. Conditions for processing of personal data
i. Processing must be wholly or partly carried out by automated means or
ii. Where processing is not by automated means, it must concern personal data that forms
part of a filing system or is intended to form part of a filing system
1. Filing system refers to structured set of personal data that is accessible
according to specific criteria
5. Controller
a. Application of controller and processors concept has evolved with the biz environment, increased
sophistication of outsourcing and growing tendency of organizations to centralize IT systems
b. Controller
i. Determines who shall be responsible for compliance with data protection law and how
individuals can exercise their rights; allocates responsibility
c. Definition
i. Natural or legal person, public authority, agency or any other body which alone or jointly
with others determines the purposes and means of processing of personal data
ii. Natural person, legal person or any other body
1. May be legal or natural person; preference should be given to consider the
controller to be the company or body as such rather than individual appointed by
company or body
2. Employees appointed by an organization acting on behalf of controller to ensure
compliance with data protection or processing of data are not considered
controller cos they act on behalf of the legal entity
iii. Alone or jointly with others
1. Different organizations, bodies or natural persons may be data controllers of
same personal data; jointly means that they act together regarding processing of
personal data
2. Examples
a. Airline and hotel may set up a shared website with travel agent where
holiday bookings are entered into shared database and parties carry out
integrated market activities
i. Not joint controller whereby identical data is held separately
and for distinct purpose
b. Parent company may provide centralized IT services to its subsidiaries
including centralized databases for employee or consumer records and
conduct independent operations on data to compare employee turnover
across group
i. Not joint controller when data is held by subsidiaries for
purposes of its biz; subsidiaries remain a controller for data of
its employees and customers
3. Intragroup scenarios of joint control are complex but Regulation emphasizes
need for responsibility to comply with regulation in a transparent manner
iv. Determining of the purposes and means of processing of personal data
1. Factual elements or circumstances regarding processing may be decisive in
determining controller even though contractual designation says otherwise.
a. Processor who determines the purposes and means of processing will
be considered a controller
v. Identifying source of control
1. Control from explicit legal competence
a. Explicit appointment of controller under national or community law
b. Law establishes task/imposes a duty on someone to collect data
2. Control from implicit legal competence
 a. Control stems from common legal provisions or est legal practice
(employer with employee data)
3. Control from factual influence
a. Control based on assessment of factual circumstances
i. Consider degree of actual control exercised by party,
impression given to individuals and reasonable expectations of
individuals on basis of this visibility
vi. Determining purposes and means of processing
1. Controller determine why data is collected and how it will be processed-purposes
and means of processing
2. Means of processing
a. Questions regarding:
i. Which data to be processed
ii. Which TP shall have access to data
iii. When data shall be deleted
3. Controller may delegate decisions about technical and organizational aspects of
the processing to processor provided it reserves the most important
determinations of purposes or means to itself including substantial questions
essential to the core of lawfulness of processing
d. Most of the responsibility for complying with GDPR falls on the controller
6. Processor
a. Is a person other than employee of controller who processes personal data on behalf of a controller
b. Does not have authority of allocating responsibility like the controller
i. Mechanics of processing may be determined by service provider who remains processor
provided the overall purposes are still determined by its client
c. Definition
i. Natural or legal person, public authority, agency or other body that processes personal
data on behalf of a controller
1. Processor is a person that is a separate legal entity with respect to controller
2. Person processes personal data on behalf of controller
ii. Controller can delegate determination of means of processing to a processor as far as
technical or organizational questions are concerned
1. Includes security, recordkeeping, notifying controllers of data breaches and
ensuring compliance with restrictions on international data transfers
iii. Processors have wide degree of discretion regarding how they carry out duties but these
all relate to the How. Obligations relating to purpose such as processing has lawful ground
and respecting individual rights are only imposed on data controller
iv. Processor who goes beyond their mandate by deciding on purposes of processing or
essential means of the processing will be considered controller in respect of processing
v. Processor should process personal data only on controller’s instructions and that a
contract or a binding legal act regulating the relations between the controller and
processor should be in writing
1. Contract; must set out nature and purpose of any data processing; the type of
personal data; categories of data subjects
2. Further details of the processing contract
a. Processor shall process personal data on documented instruction from
controller including transfers of data outside EEA
b. Processors should be committed to confidentiality or process personal
data under an appropriate statutory obligation on confidentiality
c. Take all measures regarding security of processing
d. Respect conditions for enlisting another processor
e. Assist controller by appropriate technical and organizational measures
for fulfillment of controller’s obligation to respond to requests to exercise
data subject’s right
 f. Assist controller in complying with obligations related to security, data
protection impact assessments and breach notification taking into
account nature of processing
g. At controller’s choice, return all data to controller after end of provision
of data processing svs
h. Make available to controller all info necessary to demonstrate
compliance with obligations and llow and contribute to audits including
inspections, conducted by controller or another auditor
vi. Processors should engage another processor with authorization of data controller (either
general or specific; if general, processor must allow controller to object to addition or
replacement of other processors; contract btn initial processor and sub-processors and
must include mandatory provisions above and initial processor remains liable for
performance of sub-processors
vii. Factors to consider when distinguishing between data controller and processor
1. Level of prior instruction given by controller which determines degree of
independent judgment processor can exercise
2. Monitoring by controller of execution of the service-clear monitoring by a
controller shows that it is in full and sole control of processor
3. Visibility /image portrayed by controller to individual and expectations of
individual based on that visibility
4. Expertise of parties; greater expertise of service provider relative to that of its
customer, the greater the likelihood that it is the controller
7. Data subject
a. GDPR only applies to identified or identifiable natural person and not legal entities/persons
including name and form and contact details of legal person
b. GDPR does not apply to deceased persons but member states may provide for rules in this area
B. Territorial and Material Scope of the General Data Protection Regulation
1. Introduction
a. Territorial
i. GDPR applies to organizations established in the EU
ii. it applies on an extraterritorial basis to organizations which offer to sells goods or svs to or
who monitori individuals in EU
b. Material Scope
i. Does not apply to processing for domestic purposes or processing regulated by another
EU Data Protection Law Regulation e.g 45/2001 that applies to processing of personal
data by EU institutions
2. Establishment in the EU
a. Applies to processing of personal data in the context of activities of an establishment of a controller
or a processor in the Union regardless of whether processing takes place in EU or not
b. Whether an organization has an establishment in the EU depends on whether human and technical
resources are available not just where an entity is incorporated. A single server aint enough
c. Weltimmo v. Naih - CJEU case
i. Weltimmo was incorporated in Slovakia and had a website targeting the Hungarian market
advertising Hungarian properties and being written in Hungarian. Hungarian individuals
complained to Hungarian DPA that Weltimmo had not actioned requests to remove
properties from the site and they were charged. Weltimmo argued Slovakian DPA should
handle matter
ii. CJEU stated that establishment is a broad and flexible phrase and does not depend on
legal form. Org is established where it exercises through stable arrangement in territory of
that member state, a real and effective activity even a minimal one
iii. Presence of a single representative may satisfy there being an establishment
iv. Weltimmo considered established in Hungary even though incorporated in Slovakia
1. Weltimmo’s website was mainly or directed at Hungary; had properties situated
in Hungary and was written in Hungarian
 2. Weltimmo had a representative in Hungary who represented Weltimmo in admin
and judicial proceedings
3. Weltimmo had opened a bank account in Hungary to recover debts
4. Weltimmo had used a letter box in Hungary to manage its everyday biz affairs
5. Nationality of data subject irrelevant
d. In the context of the activities
i. If the personal data is carried out in the context of the activities of the Establishment, Reg
applies regardless of whether the processing takes place in the Union or not
ii. Google Spain SL v. AEPD under Directive
1. Google Spain SL was promoting and selling advertising space in Spain on behalf
of Google Inc but was not involved in functionalities of search engine and actual
processing of data
2. CJEU found sufficient connection btn activities of Google Spain SL and search
engine’s data processing activities that the activities in Spain are inextricably
linked since activities relating to advertising space render search engine
economically profitable and the engine is the means enabling activities to be
performed
iii. Based on the WP29, any organization that has EU sales offices which promote or sell
advertising or marketing or which target individuals in the EU; also applies to overseas
companies with EU offices which market EU services paid for by membership fees or
subscriptions
e. Or a Processor
i. Regulations applies to processing of data in context of activities of an establishment of a
controller or processor in EU; GDPR applies whether processing takes place in EU or not
ii. Directive only focused on controller
iii. GDPR applies to data processing where data processor has EU establishment
notwithstanding that the controller, subject and processing are all outside the EU
f. In the context of the activities is no longer explicitly used to determine which of several member
state laws should apply
i. If a controller is established in more that one member state, courts and DPAs would turn
to context of the activities of an establishment of a controller to determine which member
state’s laws apply
ii. VKI v. Amazon
1. Amazon’s Luxembourg incorporated managed a website used by Austrian and
German consumer. Amazon has no presence in Austria and has another entity
incorporated in Germany
2. Amazon asserted that it would be subject to Luxembourg court and CJEU agreed
stating that company had website accessible by Austrians but this was not
sufficient to make it established there
3. Non-establishment in the EU
a. Targeting of EU Subjects
i. Non EU established organizations subject to GDPR where they process personal data
about EU data subjects in connection with the offer of goods or svs to EU data subjects.
Payment by the data subject is not required
ii. The test; It should be apparent that the controller or processor envisages offering svs to
data subjects
1. There should be some degree of intent and awareness and apparent that there
should be external evidence of the intent.
2. Mere accessibility of a website within the EU, mere contact addresses accessible
from EU and use of same language as used in controller’s home country
insufficient
3. Relevant factors to show intent/awareness
a. The use of an EU language
b. Display prices in EU Currency
 c. Ability to place orders in EU languages and
d. Reference to EU users and customers
4. Brussels I Regulation governing jurisdiction in civil and commercial matters could
offer some guidance
a. Regulation allows consumers to bring proceedings against seller in
member state where consumer is domiciled rather than member states
where biz is based if biz has directed activities to consumer’s member
state
5. CJEU interpretation regarding intention to target EU customers
a. Patent evidence such as payment of money to search engine to
facilitate access by those within a member state or where targeted
member states are designated by name and
b. Other factors possibly in combination with each other- including
i. International nature of relevant activity eg tourist activities
ii. Mentions of telephone numbers with an international code
iii. Use of top level domain name other than that of state in which
the trade is established eg US organization acquiring .eu or .de
iv. Description of itineraries from Member states to place where
service is provided
v. Mentions of international clientele composed of customer
domiciled in various Member State
b. Monitoring of behavior
i. Non EU organizations who monitor/profile EU individuals will also be subject to regulation
provided that the behavior monitored occurs within EU
ii. Monitoring is tracking of individuals online to create profiles including where this is used to
make decisions particularly concerning them or for analyzing or predicting personal
preferences, behaviors, and attitudes
iii. Under Directive-org that target EU subjects but with no EU establishment only had to
comply with EU rules if they also made use of equipment in EU to process personal data;
cookies amounted to equipment according to supervisory authorities. GDPR applies to
non-EU est. org regardless of equipment limitation
4. Public International law
a. Regulation applies where the processing of personal data by a controller not established in Union
but in a place where Member State law applies by virtue of public international law
b. Covers embassies and consulates of EU member states / airplanes and ships to which Reg applies
by virtue of international treaties
5. Material Scope of the Regulation
a. Activities that fall outside the Regulation’s scope
i. Matters outside the scope of EU law eg processing operations that concern public security
defence and national security; activities in relation to common foreign and security policy
of the EU
ii. Household exemption
1. Data processing by a natural person in course of purely household activity. Eg
correspondence and the holding of address books even though concern private
life of persons provided use is personal and not professional; social networking
and online activities
2. Reg will apply to controllers and data processors that provide means for
processing personal data for personal or household activities
3. CJEU case interpretation of similar provision in Directive: Lindqvist ; CJEU
considered whether publication of info relating to individuals she worked with on
voluntary basis fell under exemption. CJEU held that Lindqvist could not rely on
exemption cos it was confined to activities carried out in course of private / family
life or individuals which was not case here where processing consisted of
 publication on the internet so that data was made accessible to wider number of
people
4. Based on GDPR it appears that the publication of info to the world at large in
comparison to narrower group of friends may be factor in applicability of
exemption
iii. Prevention, detection and prosecution of criminal penalties including safeguarding against
and prevention of threats to public security; this applies to data processing by police,
prosecution, courts and offender support services for law enforcement purposes
1. Where competent authorities mentioned above process personal data for
purposes other than the purposes of LEDP Directive, Regulation would apply
unless the activity falls outside scope of European Union like national security
2. Competent authority can be subject to both GDPR and LEDP based on how the
data is processed
iv. EU institutions
1. EU institutions, bodies, offices and agencies are not covered by GDPR.
2. Regulation 45/2001/EC on protection of individuals with regard to processing of
personal data by the community institutions and bodies will apply to EU inst
v. Relationship with eprivacy Directive
1. European Commission aims to achieve coherence btn ePrivacy Directive and
Regulation since there are areas of significant difference and overlap btn the two
with regard to territorial scope, data breach notifications, liability and sanctions
2. GDPR will not impose additional obligations on natural or legal persons in
relation to processing in connection with provision of publicly available electronic
communications services in public communication networks in Union in relation
to matters for which they are subject to specific obligations with the same
objective set out in Directive 2002/58/EC
vi. Relationship with E-commerce Directive
1. Regulation is without prejudice to rules in E-Commerce Directive in particular to
those concerning liability of intermediary service providers and which purport to
limit their exposure to pecuniary and criminal liability where they merely host,
cache or act as mere conduit
2. It appears that the regulation covers processing of personal data that is excluded
from the scope of the E-commerce directive (Directive 2000/31/EC)

C. Data Processing Principles

1. Lawfulness, Fairness and Transparency
a. Personal data is to processed only if a legal ground exists and to the extent the processing is
carried out in a fair and transparent manner towards the individuals whose personal data is
collected and used
b. Lawfulness
i. Personal data must only be processed when data controllers have a legal ground for
processing the data. Data processing should be carried out within limits of the applicable
laws such as data protection laws and other applicable rules and codes dealing with
employment, competition, health, tax or other general public interest
ii. Processing lawful under following grounds
1. Consent from data subject to processing of personal data for one or more
specific purposes
2. Contract performance; processing necessary for performance of contract to
which data subject is a party or in order to take steps at request of data subject
prior to entering into a contract
3. Legal obligation; processing is necessary for compliance with legal obligation to
which controller is subject
4. Vital interest of individuals
 5. Public interest; Processing necessary for performance of task carried out in
public interest or in exercise of official authority vested in controller
6. Legitimate interest pursued by controller or TP except where such interests are
overridden by interests or fundamental rights and freedoms of data subject which
require protection of personal data especially where data subject is a child
iii. Regulation grants to member states the right to determine more specific legal
requirements to ensure lawful and fair processing of personal data in specific processing
situations (employer-employee relationship, allowing member states to define age of
minors; to protect genetic or biometric data or statistical, historical, or scientific purposes)
c. Fairness
i. Data subjects must be aware of fact that their personal data will be processed including
how data will be collected, kept and used to allow them to make an informed decision
about whether they agree with such processing and enable them to exercise their data
protection rights
1. Controller must be transparent by providing sufficient info and implementing
proper mechanisms for individuals to make informed decisions and exercise their
choice and rights unless processing is justified
ii. Processing automatically permitted by law is deemed fair even though data subject might
not be aware/aware of the fact that their personal data is being processed
iii. Fairness also req assessing how processing will affect data subject and if it negatively
affects individuals and such detriment is not justified then processing is unfair
iv. Where processing negatively affects individual but is justified that processing is fair eg
driver who is driving above certain limits and has received multiple fines for speeding.
Processing of his data will be detrimental since it will lead to an increased fine for him in
comparison to driver who has received their first speeding fine
d. Transparency
i. A controller must be open and clear toward data subjects when processing personal data
ii. Information to data subjects to be provided in a timely manner
1. When info is collected from data subject directly then relevant info must be
available at time of collection
2. When data is collected from different sources, different period is provided for
providing that info
iii. Data subjects should be notified regarding how their personal data is processed
1. No need for notification where data was obtained directly from data subject and
data subject is already aware of the information
2. No need to provide information when data was collected from other sources
a. When info will involve a disproportionate effort or impossible
b. Protect data subject’s legit interest in which case, disclosure is
governed by applicable law
c. Preserve confidentiality of info, also regulated by laws to which data
controller is subject
iv. Information should be clear, concise and easy to understand and be provided in an
accessible manner
1. Regulation promotes the use of visual and standardised icons or symbols as
alternative means to inform individuals in a concise and clear way
2. Controller should take into consideration, type of data to be processed, manner
in which personal data will be collected and whether the information is obtained
directly from that data subject or from other sources
3. Other guidelines
a. When processing involves personal data of children, there is need to
communicate or draft info in simple and plain language to allow children
to understand it
 b. If information is obtained in context of a medical examination, medical
practitioner must inform patients using plain language. Such info must
be provided before examination is carried out
c. They should use short and ad-hoc privacy notices instead of long legal
texts
v. GDPR eliminates the need for controllers to notify data protection authorities of processing
of personal data since it did not contribute to protecting personal data
2. Purpose limitation
a. Controllers must only collect and process personal data to accomplish specified, explicit and
legitimate purposes and not process personal data beyond such purposes unless the further
processing is considered compatible with original purpose
i. Controller must take into account:
1. Any link between the original purposes and the purposes of the intended further
processing
2. The context in which personal data has been collected in particular the
reasonable expectations of data subjects based on the their relationship with the
controller as to their further use
3. Nature of personal data
4. Consequences of intended further processing for data subjects
5. Existence of appropriate safeguards in both original and intended further
processing
b. If compatible and above conditions are met, there is no need for other legal basis separate from the
one that allowed the original collection and use of the personal data. However, if processing is
incompatible, there is need for a separate legal ground (eg consent of data subject before starting
the processing of data for new purpose) or satisfy one of the other available legal criteria to justify
the processing
c. Data controllers must first identify purpose for which personal data will be processed
d. The use of personal data for statistical, public interest, scientific or historical research purposes is
compatible as long as it is done within limits set by Union or member states’ law that governs that
processing
3. Data Minimisation
a. Data controllers must collect and process personal data that is relevant, necessary and adequate
to accomplish purposes for which it is processed; only collect data that is directly relevant and
necessary to accomplish a specific purpose
b. Requires application of two concepts
i. Necessity
1. Controllers must assess whether the personal data to be collected is suitable and
reasonable to accomplish a specific purpose
a. Suitable if the personal data is of a nature necessary to attain the
purpose
b. Adequate if the nature or amount of personal data is proportional in
relation to the purposes
2. Controllers need to first ascertain whether specific purpose can be accomplished
by using anonymous data
3. Data will be excessive and unnecessary in relation to the purpose if such a
purpose could be accomplished by excluding certain data fields eg not storing full
date of birth when a generic age range can be used
ii. Proportionality
1. Consider the amount of data to be collected. If excessive data is collected in
relation to purposes then it is disproportionate
a. Example using biometric data like fingerprints to identify individuals
when identity cards would suffice
2. Save everything mentality is a breach of data minimization principle
3. To assess adequacy
 a. Take into consideration adverse impact of means of processing
b. Verify whether alternative means exist that may lead to less intrusive
means of processing
4. Accuracy
a. Controllers must take reasonable measures to ensure that data is accurate and where necessary
kept up to date
i. Processes should be implemented to prevent inaccuracies during data collection
ii. Controller must consider type of data and specific purposes to maintain accuracy of data
in relation to purpose
iii. Controllers should verify authenticity of the info collected and evaluate how reliable the
source from which they collect the information is
b. When data is stored for statistica/historical purposes, controller needs to main the personal data as
originally collected
c. Records should be kept to ensure accuracy and errors should be corrected
d. Principle req that controllers respond to individuals’ requests to correct records that contain
incomplete info or misinformation
5. Storage limitation
a. Personal data must not be kept longer than necessary for purposes for which personal data is
collected
i. During recruitment, personal data of candidates needed but after, controllers must not
keep personal data of unsuccessful candidates
b. Personal data may be stored for longer periods insofar as the personal data will be processed
solely for archiving purposes in the public interest, scientific or historical research or statistical
purposes
c. Regulation calls for time limits to ensure personal data are not kept longer than necessary
d. Controller must verify whether statutory data retention periods exists in relation to the type of
processing
i. Personal data may be kept to comply with tax, health, safety, or employment regulations
e. Consider periods for which data is collected and then delete data in absence of a sound new
reason to retain it
6. Integrity and confidentiality
a. Appropriate security during processing of data to protect against unauthorized or unlawful
processing and against accidental loss, destruction, or damage using technical organisational
measures (integrity and confidentiality)
b. An information security policy framework needs to be implemented by controllers to preserve the
CIA of data
c. Need for a cross functional team comprising legal and technical data security experts to define an
organization's’ information security strategy and policies
d. Need for resources for the information security policy framework and a budget to properly
implement and maintain the organizational and technical measures to effectively implement proper
processes and tools to comply with the integrity and confidentiality principle
e. Regulation recommends encryption and pseudonymisation to protect data
f. For sensitive data, additional care should be taken and controllers must take into account potential
impact on individuals that a breach of the integrity or confidentiality of personal data may cause to
implement measures that sufficiently protect the individual
D. Lawful Processing Criteria
1. Introduction
a. Consent is at the heart of data protection and privacy laws
b. Under Art. 6 of Regulation, there should be lawful basis for data processing; are discussed below
c. If lawful basis can not be established then the controller will need to establish some other exception
such as journalism/research/free speech/public interest
2. Consent
 a. Is defined as freely given, specific, informed and unambiguous indication of the data subject’s
wishes by which he or she by a statement or by clear affirmative action signifies agreement to the
processing of personal data
i. Freely given - data subject has genuine choice and must be able or has the freedom to
refuse/withdraw consent
1. Consent must be presented in a manner distinguishable from other issues
otherwise if bundled together and not separated then it is not binding
2. If performance of contract is conditioned on consent to processing personal data
when it is not necessary for performance of contract, it is invalid
3. Employer-employee relationship does not show freely given consent where
employee cannot withhold consent without suffering prejudice
4. Where there is clear imbalance bth data controller and data subject such as
when controller is a public authority, consent should not be relied upon
ii. Specific
1. Consent must be given specifically for the particular processing operation in
question; if multiple purposes exist, consent must be given for all of them
2. In scientific research where it is not possible to identify purpose of data
processing, data subjects can legally give their consent to certain areas of
scientific research consistent with recognized ethical standards for scientific
research
iii. Informed
1. Data subject must be given all necessary details of the processing activity in a
language and form they can understand so that they know how processing will
affect them
2. Regulation states that informed consent requires the data subject to be aware of
the identity of the controller and purposes of processing
iv. Unambiguous
1. Data subject’s statement or clear affirmative act must leave no doubt as to their
intention to give consent
2. Active indication of consent is required like ticking a selection box; pre-ticked
box/ silence unacceptable!
3. Ongoing interactions with data subject such as data subject’s choice of technical
settings for information society services provides sufficient consent
b. Where consent is preformulated, it should be provided in an intelligible and easily accessible form
using clear and plain language and with no unfair terms in line with consumer protection req
c. Controllers are obligated to keep a record of consents given by particular individual data subjects to
demonstrate that data subjects has given consent to the processing operation
d. No explicit consent for data processing unless it is sensitive data or for international data transfers
e. Consent not similar to opt out since opt-out shows that lack of action by data subject means lack of
objection- not unchecking the box is not consent!
f. Consent obtained through duress or coercion is not valid. Certain people may not have capacity to
give consent. With regard to information society services offered directly to children, Children under
13 years cannot give consent, it will need to be given or authorized by the holder of personal
responsibility over the child. Processing lawful when the child is 16 years old
i. Minimum age of consent will differ across EU since member states may set a minimum
age of consent less than 16 years so long as age is not lower than 12. UK announced it
will set minimum age of consent as 13 yrs
ii. Minimum age of consent is only in context of information society services offered directly
to a child and where the controller relies solely on consent or cannot rely on another
criterion.
3. Contractual necessity
a. Test for necessity is requiring a close and substantial connection between the processing and the
purposes. Processing that is merely convenient or in the interest of one of the criteria without being
necessary will not meet this test.
 b. Processing has to be strictly necessary for stated purpose
4. Necessary for the performance of a contract to which the data subject is party or in order to take steps at the
request of the data subject prior to entering into a contact
a. Relevant where data subject purchases service or product from a controller and through delivery of
service or product, the controller needs to process the individual’s personal data
b. Narrowly interpreted; processing should be unavoidable to complete the K
5. Legal obligation
a. It relates to legal obligation where controller is req by law to comply (tax, social or security
obligations mandated by National EU or member state legislation). Can’t be a contractual obligation
b. Legal obligations imposed by third countries do not meet this criteria
6. Vital interests
a. Refers to circumstances involving life or death where processing is vital to data subject’s survival
b. Relevant only in rare emergency situations eg when data subject is unconscious and processing is
necessary for urgent medical care
c. Only used where there can’t be another legal basis
7. Necessary for the Performance of a Task carried out in Public interest or in the exercise of official authority
vested in the controller
a. National EU or member state legislation determine what tasks are carried out in the public interest
b. Data subjects have right to object to use of their data under this criterion and controller needs to
show that it has compelling legitimate interest to process the data. These grounds must be
sufficient to override the interests, rights, freedoms of the data subject or for the establishment,
exercise or defence of legal claims
8. Legitimate interests pursued by controller or TP except where they are overridden by interests, rights,
freedoms of the data subject
a. Public authorities will no longer need to rely on this criterion
b. For non-public authorities, they will need to satisfy the following factors
i. Processing must be necessary for the purpose
ii. Processing must be a legitimate interest of controller or TP
iii. Legitimate interest cannot be overridden by the data subject’s interest, fundamental rights
and freedoms
1. Controller will need to consider the reasonable expectations of data subjects
based on their relationship with the controller based ib the relevant and
appropriate relationship between the data subject and the controller in situations
where data subject is client or in service of controller
iv. Legitimate interest includes the following
1. Processing that is strictly necessary to prevent fraud is legitimate
2. Includes example of direct marketing
3. Sharing of personal data within a group of undertakings or institutions affiliated to
a central body for internal administrative purposes
4. Necessary and proportionate to ensure network and information security
v. Controller will need to consider interpretation by local data protection regulators and
courts
1. In UK, France and other member states - this criterion has been interpreted
widely
a. Test in UK -Establish legitimacy of interest pursued and ensure
processing is not unwarranted in any particular case through prejudice
to the individual concerned
2. In Italy, legitimate interests have been specifically set out by italian DPA
vi. Controllers need to know that data subjects have the right to object to use of their data
and controller will need to demonstrate compelling legitimate grounds to process personal
data that overrides the interest, rights and freedoms of data subject or for establishment,
exercise or defence of legal claims; if objection from data subject is justified, cease
processing
 vii. In the directive, controllers did not need to document the legitimate criterion or comm to
data subject. Under regulation, will need to provide privacy notice and specify legal basis
for processing and if relying on legitimate interest, describe the legitimate interest pursued
and proper notification to data subjects
9. EU/ Member state Law; Legal Obligation and Public Interest
a. EU /Member State Law Can determine whether controller is a public authority or not
b. The above criteria (Legal obligation and public interest) are relevant for processing for freedom of
expression and information, processing in the context of employment and processing for archiving,
scientific, historical or statistical purposes
c. Variations expected regarding the two criteria
10. Special categories of processing
a. Regulation adds biometric and genetic data to list of sensitive data
b. Member states allowed to maintain / introduce further conditions including limitation for the
processing of biometric, genetic data or data concerning health
c. Choice of the categories based on anti discrimination laws and derived from Convention 108-
Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing
of Personal Data
d. Processing of sensitive data requires Art 6 - lawful basis for processing and Art 9 exception for
processing sensitive data
e. Processing of sensitive data prohibited-pose a threat to privacy but there are exceptions
i. Consent
1. Explicit, specific, informed, unambiguous and freely given consent-more than a
statement or clear affirmative action;
2. in writing with handwritten signature either paper or electronic form that uses
electronic or digital signature or by clicking icon or sending confirmatory email; or
be documented in permanent record
3. Member State law may ask for more than consent
4. Variations in the concept across EU
a. UK - ticking a box and clicking Accept is explicit consent
b. German Law - Valid if consent refers specifically to the sensitive data to
be processed, requires just in time consent notice and broader privacy
statement
ii. Necessary for purpose of carrying out obligations and exercising specific rights of
controller or data subject in field of employment and social security and social protection
law in so far as it is authorised by Union or Member State law or collective agreement
pursuant to Member State Law providing for appropriate safeguards for the fundamental
rights and the interests of the data subject
1. Relevant when data subjects are candidates, employees and contractors
2. Controller will need to comply with necessity test
iii. Protecting Vital Interests of Data Subject or another natural person where data subject is
physically or legally incapable of giving consent
iv. Processing is carried out in the course of its legitimate actions with appropriate safeguards
by a foundation, association or any other not-for-profit body with a political, philosophical,
religious trade union aim and on condition that the processing relates solely to the
members or former members of the body or to persons who have regular contact with it in
connection with its purposes and that the personal data are not disclosed outside that
body without consent of data subjects
1. Covers non-profit institutions such as churches and other religious
establishments or political parties
2. Relates to processing of sensitive data about either members or former members
of the organizations or those with regular contact with organization
3. Disclosure outside body is allowed if data subjects provide explicit consent and
processing only occurs
a. In the course of the org legitimate activities
 b. With appropriate safeguards
c. In connection with specific purposes
v. Processing relates to personal data manifestly made public by data subject eg sharing
sensitive info in an interview or social media platform
vi. Processing is necessary for the establishment, exercise or defence of legal claims or
whenever courts are acting in their judicial capacity
1. Example processing medical data by an insurance company in order to
determine whether person’s claim for medical insurance is valid
vii. Processing for reasons of substantial public interest on basis of Union or Member State
law which shall be appropriate to the aim pursued, respect the essence of the right to data
protection and provide for suitable and specific measures to safeguard the fundamental
rights and interests of the data subject
1. Based on the regulation, laws must be proportionate to the aim pursued and
Show respect for the essence of the right to data protection
2. Provide for suitable and specific measures to safeguard fundamental rights of
data subjects
3. No need for member states to notify EU Commission about processing sensitive
data by relying on reasons of substantial public interest
4. In Italy, substantial public interest includes activities carried out by the National
Health Svs and in UK processing is permitted under a statutory instrument when
it is necessary for purposes of preventing or detecting any unlawful act or to
discharge any function designed to protect the public against dishonesty,
seriously improper conduct or mismanagement in the administration of any
organization
viii. For the purposes of preventive or occupational medicine for the assessment of the
working capacity of the employee, medical diagnosis, provision of health or social care or
treatment or management of health or social care systems and services on the basis of
Union or Member State Law or pursuant to contract with a health professional and subject
to conditions and additional safeguards
1. If processing is related to medical or social care purpose
2. Includes data processing in the context of
a. Delivering health care svs; medical diagnosis, treatment, management
of healthcare systems and svs, preventive or occupational medicine
b. Provision of social care, treatment and management of social care
systems and svs
c. Basis of either EU/Member state law
d. Under a contract with a health professional
e. Processing by a person who is subject to professional secrecy
obligation
f. Assessment of working capacity of employee eg drug testing and other
assessments to ensure employee is fit to work
3. Exception applies to doctors, nurses and others involved in the healthcare
profession
ix. For reasons of public interest in area of public health such as protection against serious
cross border threats to health or ensuring high standards of quality and safety of health
care and of medicinal products or medical devices on the basis of Union or Member State
law which provides for suitable and specific measures to safeguard the rights and
freedoms of the data subject in particular professional secrecy
1. Processing for public interest reasons in the area of public health without the
consent of data subjects
a. Covers those engaged in public health care and the supervision of
drugs and medical devices to ensure quality and safety
2. Includes health status morbidity and disability, determinants having an effect on
that health status, health care needs, resources allocated to health care,
 provision of and universal access to health care as well as health care
expenditure and financing and causes of mortality
a. Other parties like employers, insurance or banking companies should
not process the information
x. Processing is necessary for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes under Article 89(1) based on Union and Member
State law which shall be proportionate to the aim pursued, respect the essence of the right
to data protection and provide for suitable and specific measures to safeguard the
fundamental rights and the interest of the data subject
1. Article 89(1) requires safeguards for processing that falls within this criterion
2. Technical and organisational safeguards should be in place to ensure respect for
the principle of data minimization; may also include pseudonymisation and
anonymisation
3. Further derogations allowed under Article 89(1) regarding rights granted to data
subjects where those rights are likely to render impossible or seriously impair the
achievement of these particular purposes and where derogations are necessary
for fulfillment of these purposes
f. Data on offences, criminal convictions, and security measures
i. Requires greater degree of protection
ii. Such processing should be under the control of an official authority or when the
processing is authorized by Union or Member State law providing for appropriate
safeguards for the rights and freedoms of data subjects
g. Processing which does not require identification
i. Controller not required to comply with certain obligations concerning the rights of data
subjects except that this assumption is reversed when the data subject provides additional
info to controller to enable identification
E. Information Provision Obligations
1. Transparency principle
a. Requires openness and honesty about the ways personal data will be used
b. Data subjects must be aware of their rights, risks, rules and safeguards in relation to the processing
c. Failure to provide fair processing info or process info in accordance with info provided is a breach
and renders processing unfair
d. Transparency is vital when consent as a basis for processing is considered
e. Regulations has eliminated the need for controllers to notify supervisory authorities about
processing
f. Provision of info to data subjects under Article 13 and Article 13(2)
i. When data is collected from the data subject under Article 13
● Identity and contact details of controller and where applicable controllers rep
● Contact details of dpo when one is appointed
● Purpose and legal basis of the processing
● Where processing is necessary for controller’s legitimate interest or legitimate
interest of TP, legitimate interests pursued by controller/TP
● Recipients or categories of recipients of personal data if any
● Whether controller intends to transfer personal data to third country or
organization and if so
a. Whether or not adequacy decision by the European Commission exists
regarding transfer
b. If transfer is made on basis of appropriate safeguards pursuant to
Articles 46 or 47 of the Regulation
i. Under standard data protection clauses adopted by the Comm
ii. Basis of controller’s legitimate interest
iii. BCR
 reference to the appropriate or suitable safeguards relied upon by
controller and means to obtain a copy of them or where they have been
made available
● Under Article 13(2) the additional information should be provided to ensure fair
and transparent processing
a. Period for which data will be stored or if that is not possible, criteria
used to determine that period
b. Info about data subjects’ rights to
i. Request access to, rectification or erasure of personal data
ii. Requests restriction of processing concerning data subject
iii. Object to processing
iv. In relation to data portability
c. Where processing is based on consent or explicit consent ( special
categories of data), the right for the data subject to withdraw consent
without affecting the lawfulness of processing
d. Right to lodge a complaint with supervisory authority
e. Whether provision of personal data is statutory or contractual
requirement or a req necessary to enter into a contract as well as
whether data subject is obliged to provide personal data and possible
consequences for not doing so
f. Existence of automated decision making including profiling (where it
procedures legal effects or significantly affects a data subject or
involves special categories of personal data). The controller engaged in
profiling should also provide meaningful info about the logic involved
and the significance and envisaged consequences of processing for the
data subject.
ii. When personal data is collected from other sources, data controller must provide
information above under Article 13 and 13(2) and the following additional information
● Categories of personal data concerned
● Source of personal data and whether it came from publicly available sources
(general info if a number of sources have been used)
iii. Situations in which additional info is required; Difference with Article 13
● Data subjects’ rights
a. Right to require controller to restrict processing of personal data in some
circumstances
i. Where processing is conducted on basis of controller’s
legitimate interest or necessary for performance of task carried
out in public interest or to object to profiling or
ii. For purpose of direct marketing including profiling related to
direct marketing
b. Right to request information about processing of personal data
c. These rights must be presented clearly and separately from other info
● International data transfers
a. Where personal data is transferred based on controller’s legitimate
interest, data subject must be informed of transfer and compelling
legitimate interest pursued
b. Consent, data subjects must be informed of possible risk of transfer due
to absence of adequacy decision or appropriate safeguards like
standard data protection clauses
c. Transfer based on BCR, data subjects must be informed of data
protection principles in BCR, data subject rights in relation to processing
and how to exercise that right including obtaining compensation for
breaches of BCR and liability arrangements under BCR
● New Purposes of processing
 a. Controller must provide subjects with info about new purpose and any
relevant info where controller intends to process personal data for
another purpose
● Multiple controllers
a. Multiple controllers should determine respective responsibilities for
complying with the Regulation under Articles 13 and 14
● Personal data breaches notification
iv. When Information should be provided to data subjects
● When personal data is collected from data subjects, information must be
provided to them when the personal data is collected
● If personal data is collected from some other source; fair processing information
should be provided
a. Within a reasonable period after obtaining personal data but at latest
one month having regard to specific circumstances in which personal
data are processed
b. If personal data is to be used for comm with data subject, at the latest at
time of first comm to data subject or
c. If disclosure to another recipient then at the latest when the personal
data are first disclosed
● If personal data is to be processed for another purpose, controller must provide
data subjects with required fair processing information before the new processing
begins
● Info regarding right to object to processing must be provided at the latest at time
of first comm with data subject
● Info about right to withdraw consent must be provided before data subject gives
their consent
v. How information should be provided to data subjects
● Info must be provided in a concise, transparent, intelligible and easily accessible
form using clear and plain language
● Info should be in writing or where appropriate by electronic means (website)
where there are a number of parties involved
● May be provided orally as long as ID of data subject is proven by other means
● Info should be provided free of charge
● Visualization to provide info is permitted eg standardized icons (visible,
understandable, meaningful); if electronic, they must be machine readable
● Info to object must be explicit and presently clearly and separately from other info
● Consent given in a written declaration that concerns other matters; the request
for consent must be clearly distinguishable, intelligible, easily accessible, using
clear and plain language
vi. Areas in which further information provision requirements could be imposed
● Processing of employee personal data in employment context
a. If additional rules introduced by member states, they must be suitable
and specific measures to safeguard data subjects’ rights
● Associations and other bodies representing categories of controllers have
opportunity to prepare codes of conduct setting out the application of regulation
in regards to transparency and info to provide children, public, data subjects
2. Exemptions to the obligation to provide info to data subjects
a. Regulation’s Own Exemptions
i. If info collected under Article 13 and data subject already has info
ii. If info collected from source other than data subject
● If data subject already has info
● Obtaining or disclosing info set by Union or Member state law to which controller
is subject and provide appropriate measures to protect data subject’s legit
interests
 ● Where personal data must remain confidential subject to an obligation of
professional secrecy regulated by Union or Member State law including statutory
obligation of secrecy
● Provision of info is impossible or would involve disproportionate effort in
particular for archiving purposes in public interest, scientific, or historical research
purposes or statistical purposes provided that:
a. Conditions and safeguards under Article 89(1) relating to processing for
these purposes are met or
b. Provision of fair processing info is likely to render impossible/seriously
impair the achievement of the objectives of that processing
c. Article 14(5) recognizes that provision of info to data subject can be
impossible or involve a disproportionate effort where information may be
widely known, many organizations may hold the info
i. If privacy of individual may be prejudiced, and controller
decides to dispense with the provision of fair processing info
based on the exemption, they should provide robust grounds
for collecting and processing the data
d. Article 14(5) also recognizes that a controller may have a legal basis for
processing personal data so long as there are sufficient privacy
safeguards and this basis protects data subject’s legitimate interests
hence no need to notify each data subject
e. Where personal data is collected from TP and no fair processing info is
provided, unless there is an exemption, data subjects are entitled to
request both info about the processing and access to their personal
data from a controller
● Disproportionate effort requires: number of data subjects, age of personal data
and any compensatory measures
b. Exemptions by Member States under Article 23 through legislative measures to provide fair
processing info under Art 13 and 14
i. Such restriction should be a necessary and proportionate measure to safeguard
● National security
● Defence
● Public security
● Prevention, investigation, detection, or prosecution of criminal offences or
execution of criminal penalties including safeguarding against and prevention of
threats to public security
● Protection of judicial independence and proceedings
● Prevention, investigation, detection, and prosecution of breaches of ethics for
regulated professions
● Monitoring, inspection or regulatory function connected even occasionally, to the
exercise of official authority in the cases referred
● Protection of data subject or rights and freedoms of others
● General public interest of Union or Member state including monetary budgetary
and taxation matters, public health and social security
ii. Legislative measures shall contain provisions regarding the right of data subjects to be
informed about the restriction unless doing so would prejudice purpose of restriction
c. Exemptions and derogations by member states for the purposes of journalism or academic artistry
or literary expression and the exemptions and derogations are necessary to reconcile the right to
protection of personal data with freedom of expression and information.
3. E-privacy Directive requirements
a. Directive 2002/58/EC concerning processing of personal data and protection of privacy in electronic
comm sector as amended has req relevant to use of cookies and similar technologies by website
operators, apps and other connected devices
 b. An entity has an obligation to get prior informed consent of user before placing a cookie or similar
technology on a user’s device
i. Info about sending and purposes of cookies or similar technology must be given to user
ii. User having been provided with such info must consent b4 cookie or similar technology is
placed on their device or info stored in device is retrieved
4. Fair Processing Notices
a. Practical Considerations for Fair processing notices
i. Controllers have discretion to determine how fair information processing is communicated
to data subjects and they also have the opportunity to choose mechanics to determine
transparency req: either provide info or explicitly bring it to attention of /inform data
subjects
ii. Factors that controllers should take into account
● Level of info already available to data subjects including whether or not they
know if their personal data will be collected and what it will be used for
● Whether there is any element of collection or processing data subjects would find
objectionable
● Whether or not consequences of supplying or not supplying personal data are
clear and what the consequences are (will it have a significant effect on data
subject, if it will then need to actively comm info)
● Nature of personal data collected and processed( eg is it special categories of
personal data?) type of individuals eg vulnerable individuals
● Method of data collection; provide fair processing info using same medium of
collecting data eg if you use phone to collect info then fair processing info could
be given orally with written version available if required and evidence of
interaction. If collection of personal data is thru website, then written notice on
the website
iii. The right to object to certain type of processing should be explicitly brought to data
subjects’ attention-controllers have to do more than make info available
iv. Regarding the fair processing information, controllers should ensure that it is
● Clear, concise, easy to understand in simple, unambiguous and direct language
● Genuinely informative, meaningful and appropriate and designed to help
individuals understand how personal data is used
● Accurate and up to date
● Provided in an appropriate manner to people with particular needs eg if children
then fair processing info should be provided in a way that they can understand
● Not misleading; options provided regarding use of data must be genuine and
honored; don’t make it seem like people have choice regarding processing of
their data when they don’t
● Forward looking but realistic; if broad then can allow for evolution of processing,
controller should not list possible future use of data where it is unlikely it will use
data for such purposes
● Meets requirements of regulation in terms of content and timing of delivery
b. Making the Provision of Fair Processing information effective
i. Commercial benefits of effective processing info
● Data subjects more likely to place trust in organizations that are transparent
about the use of personal data
● Data subjects more likely to provide valuable personal data to org that use it
properly
● Risk of complaints and disputes arising from use of personal data will be reduced
ii. Fair processing info may be most appropriately provided through a number of means
depending upon the circumstances of processing such as writing, orally, electronically and
using standardised icons. Approaches for provision of fair information processing:
● Layered fair processing notices
● Just-in-time notices
 ● Privacy dashboards
● Alternative formats and channels of comm for information
● Taking steps to adapt to req of diverse technologies including internet of things
c. Privacy notices
i. Layered fair processing notices
● Introduced by the Berlin Memorandum March 2004
● Basic info is provided in a short initial notice and further more detailed info is
available if data subject wishes to know more
● Suited to processing in an online context where click through links can facilitate
movt btn layers of fair info processing
a. If personal data is provided offline, a layered approach can be adopted
by providing a simple way for data subject to access info eg using a toll
free telephone number
● The initial notice must contain info as to the identity of the controller and high
level description of the purposes of processing. The notice could contain links
explaining the processing in more detail or a link to a second FULL notice with
additional info.
● Benefits of layered information
a. Recognize that data subjects can take in only certain amounts of info
about use of their personal data
b. Shorter privacy notices are easier to understand and remember
c. Layered notices can used to account for space / time limitations in a
number of situation in which personal data is collected
d. Longer notices tend to have legal terms and jargon affecting readability
ii. Just-in-time notices
● Processing at specific points of data collection. Data subject provided with info at
point at which it is relevant to them eg when they are providing personal data
using an online form, they could be provided with information about purposes of
processing at that point
iii. Dashboards
● Linking a fair processing notice to dashboard which allows data subjects to
control how personal data is processed
iv. Alternative Formats
● Regulation requires that Information is either provided in writing or electronic
means. Use of visualization is allowed and legislation to create standardised
icons
● Controllers should consider using animations to explain processing to children or
use icons in combination with just-in-time or layered notice where restrictions on
space make it difficult to clearly provide info
● In all cases controllers need to provide unlayered version of fair processing info
so that data subjects can search for and refer to it without clicking through web
pages and review it in another different medium (hard copy)
v. Fair Processing Information and Diverse Technologies
● Fair Processing info difficult if info collected using technologies like CCTV,
drones, wearable technologies or people use mobile devices
● WP29 considered this in context of directive and recommended
a. Using sign posts and information sheets where drones are operated in a
specific area
b. Using social media, newspapers, leaflets and posters to inform data
subjects when drones are used at events
c. Making fair information processing available on website to inform data
subjects about upcoming and past uses of drones
d. Taking steps to ensure drone is visible eg using bright colors, flashing
lights or buzzers
 e. Ensuring operator is clearly visible with signage identifying them as the
individual responsible for the drone
● Regarding sensors that collect personal data WP29 suggested printing a QR
code or flashcode on items equipped with sensors enabling data subjects to
access fair processing info
F. Data Subjects’ Rights
1. Introduction
a. Bolstering individual rights was one of the main ambitions of EU Commission in proposing the new
data protection framework
b. The following data subject’s rights may limit an org ability to lawfully process personal data and
also have a significant impact on the org core biz processes and biz model
c. The Modalities - to whom, how and when
i. Regulation unlike Directive requires the controller to use all reasonable efforts to verify
identity of data subjects
ii. Controller is not obliged to collect any additional personal data just to link certain pieces of
data it holds to a specific data subject
iii. Regarding data subjects’ requests, controller should confirm receipt of requests and clarify
any information. Relevant time window for responding is one month starting with receipt of
request. Two months for complex cases or specific situations
iv. During first month, org needs to act on request, if it can’t, it should inform data subject and
advise them of opportunity to lodge complaints with regulators
v. Form
1. Electronic req should be answered electronically
2. Email encryption not secure communication, org will need to deliver info in safe
manner
d. General Necessity of Transparent Communication
i. Data subjects need all the info to understand nature of processing and exercise their
statutory rights
ii. Information to be provided in a concise, transparent, intelligent and easily accessible form
using clear and plain lang
e. Right to Information about Personal data collection and processing
i. Data subjects need to be provided with info that describe their relationship with controller
ii. The information includes:
1. Controllers’ id and contact details, reasons/purposes for processing personal
data, legal basis for doing so, recipients of the data if they live in third countries
and other relevant info necessary to ensure fair and transparent processing of
data
2. Controller must id source of data if collected or obtained from TP so that data
subjects can pursue their rights
2. Right of Access
a. Data subject must be told of personal data the org holds about them
b. Data subject has the right to obtain from controller confirmation as to whether or not personal data
that concerns him or her is being processed.
c. Data subject is entitled to receive the following info
i. Purposes of processing
ii. Categories of personal data concerned
iii. Recipients or categories of recipient to whom personal data have been or will be disclosed
either those in third countries or international org
iv. Where possible, envisaged period for which personal data will be stored of if not possible,
criteria used to determine that period
v. Existence of right to request from controller rectification or erasure of personal data or
restriction of processing of personal concerning the data subject or to object to such
processing
vi. Right to lodge a complaint with supervisory authority
 vii. Where personal data is not collected from data subject, any available info as to their
source
viii. Existence of automated decision making including profiling and at least in those cases
meaningful info about the logic involved, as well as the significance and envisaged
consequences of such processing for data subject
d. Above req have a substantial admin burden on org so org will need to consider processes to
handle this task
3. Right to Rectification
a. Data subjects have right to rectification of inaccurate personal data and controllers must ensure
that inaccurate or incomplete data is erased, amended or rectified
4. Erasure and the right to be forgotten (RTFBF)
a. Data subjects obtain right to have personal data erased if
i. Data is no longer needed for original purpose and no new lawful purpose exists
ii. Lawful basis for processing is data subject’s consent and data subject withdraws consent
and no other lawful purpose exists
iii. Data subject exercises right to object and controller has no overriding grounds to continue
processing
iv. Data has been processed unlawfully
v. Erasure is necessary to comply with EU law or national law of relevant member state
b. Where controller has made any personal data public (telephone directory/social network) and data
subject exercises right to erasure, controller must take reasonable steps including applying
technological solutions but taking costs into account to inform TP which are processing the
personal data that data subject has exercise this right
c. Exceptions
i. For exercise right of freedom of expression and info
ii. Compliance with legal obligation which req processing by Union or member state law to
which the controller is subject or for performance of a task carried out in public interest like
public health, archiving and scientific, historical research or statistical purpose
iii. Establishment of exercise of or defence against legal claims
d. Data subjects can request info about identities of recipients to whom personal data has been
disclosed
e. If controller has disclosed personal data to TP and data subjects exercise right to erasure,
rectification or blocking, controller must notify TP of data subject’s exercise of rights
i. Exemption: if it is impossible to comply or would req disproportionate effort which must be
proven by controller
f. Right of erasure is meant to strengthen the right to be forgotten in an online environment so
controllers must have systems and procedures to given effect to rights and reliably notify TP
5. Right to Restriction of Processing
a. Controller can keep data but refrain from using it during the period for which that right applied
b. Data subjects have the right to restrict processing of personal data if
i. Accuracy of data is contested and only for as long as it takes to verify that accuracy
ii. Processing is unlawful and data subject req restriction rather than erasure
iii. Controller no longer needs the data for original purpose but data is still req by controller to
establish, exercise or defend legal right
iv. Verification of overriding grounds is pending in context of erasure req
c. From operational point of view, right can be achieved by
i. Temporarily moving selected data to another processing system
ii. Making selected personal data unavailable to users
iii. Temporarily removing it from a website
6. Right to object
a. Whenever a controller justifies data processing based on legitimate interests, data subjects can
object to such processing
 b. Controller can no longer process personal data unless they can demonstrate legitimate grounds for
processing which are sufficiently compelling to override the interests, rights, freedoms of data
subject such as to establish, exercise or defend against legal claims
c. Data subjects under Directive had right to object to direct marketing. They can also under
Regulation object to profiling.
d. The data subject must be explicitly, clearly and separately notified of right to object at the time of
first communication
e. The right to object when personal data is processed for scientific, historical research purposes or
archiving exists when processing is not considered necessary for performance of a task carried out
for reasons of public interest
7. Automated decision making, including profiling
a. This right is connected to the right to object
b. The right not to be subject to automated decision making applies only if such a decision is based
solely on autonomous processing and produces legal effects concerning the data subject or
similarly significant affects them
c. If a decision falls with the parameter above, underlying processing of personal data is allowed if it is
i. Authorised by law
ii. Necessary for preparation and execution of a contract
iii. Done with data subject’s explicit consent provided controller has put sufficient safeguards
in place
1. The right to obtain human intervention on part of controller
2. Opp for the data subject to contest the decision
8. Data portability
a. Data subjects have the right to receive their personal data in a structured commonly used and
machine readable format
b. They have right to transmit data to another controller
c. Controller must hand data to data subject in a usable fashion or at their req transfer data directly to
recipient of data subject’s choice where technically feasible
9. Restrictions of data subjects’ rights
a. Member states or union law may enact laws in regard to possible restrictions to the scope of the
data subjects’ rights
b. They may promote restrictions that while respecting data subjects’ fundamental rights and
freedoms are necessary to safeguard interests of national security, defence or public security
10. Controllers who understand and embrace data subjects’ rights will adopt them into their practices via privacy
by design and default and reflect them in their consumer interactions
G. Security of Personal Data
1. Background
a. Security is needed for compliance with data protection rules
b. Insecurity will cause
i. Unlawful flow of personal data across international boundaries
ii. It can lead to alteration of personal data and embedding of inaccuracies
iii. Cause data proliferation
iv. Cause distress to the individuals who are victims of security breaches and more
substantive harms such as identity theft and pecuniary loss and damage
v. Fraud and identity theft
c. Security Principle and risk based approach
i. Personal data shall be processed in a manner that ensure appropriate security of personal
data including protection against unauthorised or unlawful processing and against
accidental loss, destruction or damage, using appropriate technical or organizational
measures
ii. Controllers and processors have to apply appropriate security
1. Need to cascade down compliance obligation to processor through contracts or
legal acts
 iii. Controllers have to main records of processing activity including a description of technical
and organisational security measures
2. Appropriate technical and organisational measures
a. Controllers and processors are required to implement technical and organizational measures
(controls ) to
i. protect against complex technological threats such as malware, and denial of service
attacks and other criminal threats as well as guard against negligent employees
ii. Appropriate does not mean absolute security. A controller or processor can suffer a
security breach without being in violation of the law
iii. There should be a risk based approach to assessment of what are or are not appropriate
controls
1. Must reflect on nature of data to be processed and reasonably foreseeable
threats that will exploit business process and technical system vulnerabilities
2. State of the art test and requirement to consider cost
a. Test req controllers and processors to consider industry BP
b. Requires controllers and processors to reflect upon consensus of
professional opinion for security with the result that if a body of
reasonably informed security professionals considers that a particular
control is appropriate in particular circumstances then the consensus
should be considered by controller/processor in making a decision on
whether to apply it in its environment
c. An example of consensus of professional opinion concerns encryption
where controllers and processors adopted encryption because it was
right thing to do not because of an express legal requirement
d. Pseudonymisation and encryption to be considered by controllers and
processors during design of security systems
e. Another example of consensus of professional opinion is maintaining
confidentiality, availability, integrity and resilience - obtained from
infosecurity industry
f. Codes of conduct and certification mechanisms can prove compliance
with security principle
3. Not all organizations can afford full-scale security control implementation-if a
control is expensive to implement then it does not have to be implemented
iv. Confidentiality, employees and other workers
1. Persons working under processors must work under duty of confidentiality
2. These people must act within boundaries of their instructions and not subvert the
controller’s role
3. Risk posed by employees and workers is insider threat
4. Controllers and processors should have robust policies to alert employees to
their responsibilities in handling personal data, provide role-based and regular
training and make clear consequences for violating policies
v. Relationship between controllers and processors
1. Intention of Art 28(1) is to flow down security principle and requirements into
processors’ organization and through supply chain to subprocessors
2. Controllers should use processors who can provide sufficient guarantees about
implementation of technical and organization measures for compliance with
GDPR and protection of data subject rights
a. Sufficient guarantees encompasses contracts and much more like
assurance mechanisms(vetting of the processor by the supplier via a
third party assessment or certification validation both before a contract
is created and afterwards)
b. Assurance mechanisms must include audit
 3. Defining feature of controller-processor relationship is that the processor can only
act on the instructions of the controller. If processor steps outside boundaries of
instructions, it will risk being defined as a controller
4. Another new devt with GDPR is duty of processor to assist controller with
achieving compliance and reduction of risk which includes assisting controller
with handling of personal data breach notification requirements
3. Breach notification
a. Controllers have to notify data breaches to data protection authorities DPAs and in certain
circumstances comm to people impacted
b. Breach notification indicates operational failure
i. Transparency of breach includes mitigation of loss and damage (affected data subjects
can take steps to protect their own interests)
ii. Transparency of breach also helps controllers, regulators, society understand causes of
failure and enable devt of appropriate responses to minimise risk of future events and
impact
iii. A breach also provides evidence to regulators and public to apply adverse scrutiny such
as regulatory enforcement proceedings and compensation claims
iv. GDPR is first law that has embedded breach disclosure rules on large scale
v. 2009 Citizens Rights Directive amended ePrivacy Directive 2002 to create a breach
disclosure regime for provides of publicly available electronic communications svs
c. Personal data breach is breach (actual breach and not risk of breach) of security leading to
accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, access to personal
data transmitted stored or otherwise processed
d. Notifying regulator
i. When a personal data breach is detected and controller is aware of that breach, they
should notify the regulator. If controller is not aware of breach, no need to notify
ii. The personal data breach should be one that is likely to cause a risk to the rights and
freedoms of individuals; controller has to notify DPA without undue delay in 72 hrs
iii. Controller will need an incident response strategy for detection, classification and
notification to take place in a short period of time
1. This will include an incident response plan, incident response playbook, creation
of incident response team and an operational incident detection team like a
security operations center (SOC)
iv. The fact that a personal data breach has occured will be determinative of the question of
whether there is a risk to rights and freedoms
v. Controllers must keep records of breaches which are held in perpetuity so that regulator
can examine controllers’ decision making regarding breach response and disclosure
1. Controllers must maintain full records of every personal data breach that they
decide does not fall within requirements for disclosure as well as records of those
that do
vi. Processors have to notify personal data breaches to controllers without undue delay and
have an obligation to implement incident detection measures
e. Communicating breach to data subject
i. Controllers are to inform data subjects of personal data breaches if those breaches are
likely to present high risks to the rights and freedoms of individuals
1. High risk includes physical, material or non-material damages
2. Risk assessment whereby risks are evaluated on basis of objective assessment
referencing the nature, scope, context and purposes of processing
3. “High” risk is determined by looking at impact to large number of data subjects or
large amount of damage to certain individuals
ii. Exceptions
1. Measures taken to render personal data unintelligible by use of encryption
(encryption safe harbor)
 2. Controller takes the steps to prevent high risk from materializing - having a good
quality incident response strategy for quickly responding to and mitigating a
breach means that you are less likely to notify data subjects after a breach
3. Disproportionate effort - arises where the controller is unable to identify all
individuals impacted by the breach. There needs to be a broad public
announcement like a press release or statement on a website
iii. Regulators have power to order controllers to engage in these communications
4. Delivery on security
a. Good programme design necessary for success of a regulatory large scale biz transformation
exercise
i. The programme need board approval to be successful
ii. These programmes are integrated into biz operation through strategy and necessary
organizational structures ensuring technical and organizational controls are employed
1. Structures include:
a. Programme design and management
b. Governance structures
c. Policy frameworks
d. Technical controls
e. Frameworks
2. Members of programme steering function will be drawn from key executives
3. Such programmes will ensure a holistic multidisciplinary approach comprising
security professionals, data protection and legal professionals
4. Security professionals will present views and recommendations regarding what
needs to be done to deliver operational security that forms part of the risk
assessment process that organization has put in place for accountability and
privacy by design purposes
a. Strong security programme is considered for data protection regulatory
compliance but also protects financial, operational, reputational and
legal interests
b. Security experts advise organizations on situational awareness, threat
landscape, security maturity and controls to manage security with
regard to risks facing the organization, physical and technical
environment, its people and data
c. Need for independent reviews and testing of organization capabilities
and necessary scenario planning to enable incident preparedness and
incident response
b. The Threat Vectors, Causes of Failure and Risk Assessments
i. Causes of security failure range from accidental to deliberate. Following factors should be
considered by controllers and processors in designing response:
1. Performing threat and vulnerability assessments and security maturity
assessments
2. Management of security
3. Human factors
4. Physical env
5. Cyber and technology env
6. Policy, controls, and business processes framework
7. Incident detection and response
ii. To perform comprehensive risk assessments, org needs to identify and understand full
information cycle
1. Controller needs to go through data mapping and inventory exercise to pinpoint
data capture, entry and plot flow of data thru org until data is deleted or
destroyed
2. Challenges of identifying data
a. Growth of cloud computing
 b. Bring your own device strategies where org can lose their data
c. Growth of outsourcing means org internal expertise is eroded
c. What is Appropriate
i. Org will need to consult internal security professionals about nature of security threats and
risks and nature of response strategy to understand meaning of “appropriate technical and
organizational measures”
ii. They can also review and familiarise themselves with the following:
1. Related pieces of legislative framework with security provisions like EU
Cybersecurity Directive
2. Output of institutions like Article 29 Working Party
3. Output of security centres of excellence like National Cyber Security Centre in
UK
4. Policy frameworks of national governments
5. Regulatory policy statements and other guidance by national data protection
regulators
6. Decisions in regulatory enforcement actions brought by national data protection
regulators
7. Decisions of courts and tribunals
8. National and international standards for best practice eg ISO 270000 series,
Payment Card Industry Data Security Standard, CBEST and NIST framework
9. Output of relevant professional associations and affinity groups such as Cloud
Security Alliance and Information Security Forum
d. Effective Management
i. There is need for appropriate organisational measures for security - key within consensus
of professional opinion for operational security
ii. Engaged management is necessary to create clear management structures and will have
key attributes
1. Security will be treated as a board level issue
2. Board will foster a culture of risk and awareness and respect for personal data
3. Multidisciplinary team consisting of senior management from IT, security, legal,
compliance, HR, finance, audit, company secretariat
4. Allocation of sufficient resources
5. Org takes seriously departures from policy and other relevant incidents
6. Engagement in planning exercises such as simulations and role play
e. Culture within organization and workers as the insider threat
i. If there is full management buy-in, they will shape the organization as a whole towards
culture of risk awareness and respect for personal data as part of drive for good security
ii. There is need to select competent, trustworthy and reliable good workers.
iii. Components of good culture for security include:
1. Understanding people risks-identify security risks within job and how they will be
addressed
2. Recruitment process- get right people for job
3. Offer letter and contract of employment
4. Acceptance of job offer-introduce recruit to policy framework
5. Induction day: Familiarise new hires with aspects of biz
6. Continuous and role based training
iv. Need for disciplinary measures for those who reject organization culture
v. Consider cultural issues at end of employment - return physical assets, workers personal
equipment must be cleansed, access rights and privileges need to be terminated,
sufficient post termination restrictions
f. Policy framework, controls and processes - security paperwork
i. Need for security paperwork- regulators look out for adequacy of security paperwork
during investigations and enforcement proceedings; documentation is also needed during
 litigation during discovery or disclosure; contracting processes between biz, can ask for
security paperwork during contractual due diligence
ii. Inadequate paperwork causes serious damage to controllers since this creates sufficient
grounds for non-compliance
iii. Enforcement and supervision of data protection can operate on anticipatory basis
iv. In investigations, regulators can examine organization’s paperwork/operations
1. Policy based regulation has emerged since it is cheaper, quicker and more
efficient than operations based regulation
v. Data protection by design, data protection impact assessments and accountability
principles necessitate creation and distribution of records
vi. Org should adopt layered approach to creation of paperwork
1. Top layer is a high level doc with controller’s policy statements that explain
controller’s position on confidentiality and security. This doc has management
structures, engagement if workers/contractors, use if IT, physical comm systems
and physical environment
a. Secure data transit - company will ensure security of personal data in
transit
2. Middle layer is a more detailed document with controls to be implemented to
achieve policy statements. The controls expand upon policy statements to show
how controller will achieve them
a. Secure data transit - encryption
i. Laptops will be protected by full hard drive encryption
ii. All USB memory sticks protected by encryption
iii. Only company computers to be used for company biz
3. Third layer is most detailed with operating processes and procedures to be
followed to deliver controls into operations
a. Secure data transit - encryption of laptops a process of activities from
the time it is ordered to the time it is given to employee
g. Technology stack
i. The technology stacks must be robust and fit for purpose
ii. Company must consider encryption, antivirus, antispam, firewalls, identity and access
management, incident detection, data loss prevention, two factor authentication and IP log
management
iii. Need for filtering of electronic comm and monitoring of use of IT and comm systems. Use
of such technologies involve complex privacy and employment law issues
iv. In Germany, need for engagement with work councils b4 technologies are deployed
v. Full testing of technology stack to withstand cyberattacks and misuse
h. Physical Environment
i. Sophisticated entry control systems, closed circuit tv, lock and key; clean desk policies
should be part of business continuity and disaster recovery and subject to same
restrictions as other monitoring controls
5. Processes, Suppliers and Vendor Risk Management
a. Under GDPR, controllers must choose
i. Reliable processors
ii. Maintain quality control and compliance throughout duration of arrangements
iii. Frame relationship in a control that contains necessary provisions req processor to
implement and maintain appropriate security measures, to act on controller’s instructions,
cooperate with controller on compliance including breach disclosure, cascade these
requirements through the supply chain
b. What complicates contractual process
i. Negotiation between parties of unequal bargaining power or from EU and non EU
jurisdiction
ii. Specific technologies like cloud computing may be tricky
c. To ensure compliance with Article 28 of GDPR, the following checklist should be considered
 i. Verify process is cognisant of core requirements of data protection
ii. Research whether processor has suffered any high profile security or confidentiality
iii. Identify processor’s other clients
iv. Clarify whether processor is currently under investigation for any data protection breaches
v. Carry out audits
vi. Carry out site visits and inspections
vii. Review processors’ policy framework for security and data protection
viii. Clarify whether processor is accredited under ISO 27001, CBEST, PCI DSS or under a
comparable regime for informational security
ix. Identify processor’s place of establishment
x. Understand processor’s supply chain and subcontracting
d. Consider alternative service if processor is being difficult
e. Contracting should also include suitable framework for ongoing assurance ranging from onsite
audits, inspections and testing to periodic assessments of ongoing compliance
f. Require processors to have minimum security measures, need to adhere to security plan, need to
undergo regular systems testing, need to undertake threat, vulnerability and maturity assessment;
permitted and non permitted location for processing; permitted and non-permitted subcontracting, a
plan for what happens to data at close of business engagement, indemnities against regulatory
sanctions and penalties along with costs associated with a breach such as notification or services
provided to victims
6. Incident Response
a. Introduction
i. Required to put in place appropriate technical and organizational measures for incident
detection and response
b. Scope of incident response plan
i. Need for controllers and processors to define which parts of incident response continuum
are being addressed by the plan
c. Core requirements of incident response plan
i. Formal understanding and approval by senior leadership
ii. Governance model connected both to anticipatory aspects of incident response and
response aspects of incident response
iii. Principles for decision making
iv. A list of who will be involved and their roles
v. Predictive, forward looking outcome analysis
vi. Compulsory reporting of unusual events
vii. Multidisciplinary and multijurisdictional expert view at point of detection including forensics
and law enforcement
viii. Performance exercises such as table-top incidents
ix. Performance metrics-what is a successful response?
x. Templates of public messaging and communication
xi. Benchmarking against peers in marketplace
xii. Updated schedule to make sure plan is in accordance with prevailing legal and regulatory
environment
d. Decision about incident response functions
i. Org needs to be clear about ambitions for capability and measure its current capabilities
including considering the following:-
1. Ambitions vs capabilities- Is team made up of people/framework/leadership
2. Gap analysis-consider objective of plan and capability
3. Discovery-Should consider what else is done relevant to incident response
4. Reviewing previous events
e. Moving incident response forward
i. Organization should make sure it has incident detection capabilities and appropriately
monitor and document them
ii. Need to install necessary incident technologies such as intrusion detection
 iii. Compromise testing to be performed
iv. Taxonomy and classification scheme so that everyone knows sensitivity and personal
nature of data compromised in a breach
v. Great incident plan will have a playbook or procedures for handling incident categories
most likely to occur
f. Handling fall out
i. The plan will also deal with aftermath of incident including dealing with TP and also have a
litigation posture reflected in plan or playbook which explains roles to be played by internal
and external legal advisers
ii. Also plan must have a communications component detailing who is to speak to media and
what is to be explained
iii. Security team handles technical implementation - privacy advises the security team on
regulatory obligations, response capabilities and ensure security incidents don’t rise to a
breach

H. Accountability Requirements
1. Introduction
a. GDPR embedded accountability into the data legislative framework
b. Controllers and processors have different obligations to show compliance
c. Accountability was first outline in the OECD Guidelines on the protection of Privacy and
Transborder Flows of Personal Data
d. Some regulators take a more proactive approach to accountability like the French Data Protection
Authority CNIL
i. Has a Privacy Governance Procedure standards - Companies demonstrating compliance
with standards obtain a privacy seal
1. Includes developing internal and external privacy policies
2. Appointment of DPO
3. Data Protection Audits
4. Handling of data subject access and data breaches
2. Responsibility of controllers and processors
a. Controllers
i. Must comply with six principles and demonstrate compliance with these principles
1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
ii. Must implement appropriate technical and org measures to ensure compliance with Reg
and update when necessary
1. Measures should take into account nature, scope, context and purpose of
processing and risks to rights and freedoms of individuals
2. Greater measures needed if there is a higher level of risk of individuals
iii. Must implement appropriate data protection policies
1. Internal policies
a. Scope
i. Policy with a brief statement explaining to whom policy applies
and type of processing activities it covers
b. Policy statement
i. Sets out company commitment regarding processing of
personal data
ii. Should describe purposes of collection and process and
specify legitimate biz interest for which personal data is
collected and processed
 iii. Should reiterate the principles of processing personal data
c. Employee responsibilities
i. Include different areas for which employees are directly
responsible when processing personal data
ii. Limitations on use of collected personal data
iii. Steps for ensuring accuracy of collected personal data
iv. Employees should be fully aware of security obligation and
should take all reasonable steps to prevent unauthorized
access/use
v. Security obligations addressed in separate information security
policy (has technical standards that apply to physical and
digital security of all data a company holds). The privacy and
security policy should be cross-referenced
vi. Transfer of personal data prohibited unless there are legitimate
grounds which should be outlined
vii. Address destruction or deletion of personal data - stand alone
policy
d. Management responsibilities
i. Should specify senior management roles across biz including
assessing risk from processing personal data
ii. Senior managers must work with biz to develop procedures
and controls to identify and address risks appropriately. Could
include DPO appointment
iii. Need for responsibility allocation from determining risk-based
technical, physical, and admin safeguards for protecting
personal data including safeguards for equipment, facilities and
locations where personal data is stored, to establishing
procedures and requirements for transferring personal data to
countries/TP
e. Reporting incidents
i. Employees should be required to report immediately all
incidents involving suspected/actual loss, theft, unauthorized
disclosure or inappropriate use of personal data. It should be
clearly indicated where a report should be made
ii. If it is a TP notifying, steps should be clearly identified
iii. Significant data breaches should be declared to DPA in 72hrs
iv. Incident response plans to be tested regularly and incident
response teams made up of rep from relevant function should
be put together
f. Policy Compliance
i. Non compliance by employee with data protection law means
employee and company subject to civil and criminal penalties
ii. Sanctions include termination of employment (contract of svs)
or contracts for svs
2. Internal allocation of responsibilities
a. Controller must demonstrated and provide info to DPA about various
data protection management resources
b. Controller is also responsible for internal data protection framework to
ensure internal compliance
c. Internal allocation of resp to facilitate supervision by DPAs, allow data
subjects to exercise their rights, enable policies, procedures and
processes to be updated
 d. Data controller may create a privacy management team or council with
responsibility for overlooking compliance within the data protection
framework
e. A DPO can be appointed to handle data protection framework
3. Training
a. Internal training programmes designed to address and inform
employees of data protection obligations and policy requirements
should be created with training modules on data retention and infosec
b. Training programmes should be tailor to biz, ops and roles and
responsibilities of diff employees
c. Controller should document, monitor the roll out and completion rate of
training programme
d. Controller should also deliver messages and updates to employees to
remind them of their privacy obligations
3. Data protection by design and by default
a. Introduction
i. Privacy by design and default are technical and organizational measures a data controller
is required to implement as part of process of protecting rights and freedoms of individuals
b. Privacy by design
i. Requires embedding data protection into design specifications of new systems and
technologies at the outset of devt of new products, services or technologies
c. Privacy by default
i. Companies should implement appropriate technical and organizational measures to
ensure that by default only personal data necessary for each specific purpose of
processing is processed
ii. Minimise collection of data and also exercise greater controls over processing
iii. Companies should not store data for longer than is necessary for purpose
d. Compliance
i. Becoming certified under certified mechanism by European Data Protection Board -
theoretical for now
ii. Controllers must consider state of art, cost of implementation and nature, scope, content
and purpose of processing and risks to rights and freedoms of natural persons
iii. Technical measures
1. Data minimisation
2. Pseudonymisation
3. Allowing individuals greater control over personal data and visibility over what is
processed
iv. Companies need to review and assess data processing systems and operations to
determine
1. Whether personal data is appropriately mapped, labelled, stored and accessible
in order to allow it to be searched and collated easily in event of request by data
subject
2. Systems are set up for automatic deletion of personal data
3. Paper-based forms and applications to ensure excessive personal data not
collected
4. Pseudonymisation of personal data where possible
5. Personal data is structured in a commonly used, machine readable and
interoperable format to satisfy data portability requirement
4. Documentation and cooperation with regulators
a. Under Directive, company setting up offices and operations in EU had to notify or register with
national DPAs their intention to process personal data within their jurisdiction
b. Under GDPR, controllers no longer need to notify data processing activities. Instead they need to
keep detailed records of processing operations
 c. Records have to be in writing which includes in electronic form and be made available to DPA upon
a DPA’s request
d. Data processing records to be kept in a company
i. Controllers
1. Controller’s name and contact details and where applicable name and contact
details of joint controller, representative, DPOs
2. Purpose of processing
3. Descrp of data subjects and categories of personal data
4. Categories of recipients to whom personal data have been or will be disclosed
including recipients in third countries or international org
5. Id of transferee third country, documentation of appropriate safeguards where
data is transferred to third countries
6. Retention periods for erasure/ deletion of different categories of personal data
7. General description of technical and org security measures where possible
ii. Processors
1. Name and contact details of processor/processors; where applicable name and
contact details of representatives and DPOs
2. Name and contact details of each data controller for whom processor acts; where
applicable name and contact details of representatives and DPOs
3. Categories of processing carried out on behalf of controller
4. Where applicable, details of transfers of personal data to third countries including
ID of transferee third country; documentation of appropriate safeguards
5. Where possible, general description of processor’s technical and org security
measures
e. Application of record-keeping requirements
i. Company with 250 employees exempted unless this company
1. Engaged in processing likely to result in risk to rights and freedom of data
subjects
2. Processing is frequent and not occasional
3. Processing involves special categories of data
ii. Applies to data related to criminal convictions and offences
5. Data protection impact assessment
a. Can be used by companies to identify and address any data protection issues that may arise when
developing new pdts /svs or undertaking new activities involving processing of personal data
b. In addition, it applies when processing activity may present high risk to rights and freedoms of data
subjects
c. Basically it is a process by which companies can systematically assess and identify privacy and
data protection impacts of any products they offer and svs they provide
d. Complying with DPIA requirement
i. Is processing likely to be high risk?
1. Systematic and extensive profiling that produces legal effects or significantly
affects individuals
2. Processing activities that use special categories of personal data on a large scale
3. Systematic monitoring of a publicly accessible area on large scale (CCTV)
4. Use of drones and video surveillance in public areas
ii. What if processing is high risk and assessment is required?
1. Company should seek advice of DPO
2. DPIA must contain and document
a. Systematic description of envisaged processing operations and
purposes of processing including any legitimate interest pursued by
controller
b. Assessment of necessity and proportionality of processing operations
c. Assessment of risks to rights and freedoms of individuals
 d. Measures adopted to address risks including safeguards, security
measures and mechanisms
3. Methods of conducting DPIAs vary from using paper forms to emailing
documents to appropriate stakeholders including employing automation
technology
4. You may seek views of affected individuals or representatives of their intended
processing
iii. What if processing is still high risk?
1. Consult DPA if no sufficient methods to mitigate risk
2. DPAs have 8 weeks to consider referral by data controller; can be extended by
additional 6 weeks and inherent power to suspend timetable if DPA is waiting for
info from controller
6. Mandatory data protection officers
a. Designate DPO where
i. Processing is carried out by public authority
ii. Core activities of controller or processor (private sector) consist of regular and systematic
monitoring of individuals on large scale
1. Regular and systematic monitoring means internet based tracking and profiling
not restricted to online environment
a. Regular encompasses
i. Ongoing or occurring at particular intervals for a particular
period
ii. Recurring or repeated at fixed times
iii. Constantly or periodically taking place
b. Systematic encompasses
i. Occurring according to a system
ii. Pre-arranged, organized, methodical
iii. Taking place as part of a general plan for data collection
iv. Carried out as part of strategy
iii. Core activities consist of special categories of personal data on large scale
1. Core activities: key operations necessary to achieve controllers/processors goals
2. Large scale ; reference to number of data subjects and not org size
a. Number of data subjects concerned
b. Volume of data
c. Duration and permanence of data processing activity
d. Geographical extent of processing activity
iv. DPO must be appointed if required by member state law
1. Germany
a. Companies with at least 9 people employed in automated processing of
personal data
b. Companies with at least 20 people employed in non-automated data
processing
2. France
a. A company that appoints a DPO is exempt from making prior
declarations to
b. Group wide appointment
i. Group of undertaking may appoint a DPO but he must be accessible to all and deal with
nuances of member state derogations/ member state laws
c. Role of DPO
i. Must be involved on all issues related to protection of personal data
ii. They must operate independently. Should not be dismissed or penalized for doing their
work and can have other roles if no conflict
iii. Can be appointed for fixed term
iv. Should have a direct reporting line to highest management level
 v. Must have access to company’s data protection operations
vi. Must have sufficient technical knowledge and expertise
vii. Should be appointed based on experience and abilities in data privacy
1. Should inform and advise company and employees obligations under Regulation
2. Monitor compliance with the Regulation and company policies in relation to
protection of personal data including managing internal data protection activities,
training staff and conducting internal audits
3. Provide advice regarding DPIA and monitor its performance
4. Cooperate with supervisory authority
5. Acs as POC for supervisory authority on issues relating to processing
viii. Role may be performed by employee or third-party service provider
7. Binding Corporate Rules
a. Known as gold standard of global data protection
i. When companies use them, they are required to demonstrate their privacy compliance
framework upon application to their lead DPA who monitors compliance
1. Framework must show
a. Policy in place
b. Employees aware of policy and training
c. Person responsible for compliance has been appointed
d. Audits are undertaken
e. System for handling complaints has been set up
f. Org transparent about transfer of data
b. Privacy framework/ code implemented by companies. Initially created by EU commission to
facilitate cross border transfers of personal data
c. Under BCRs, personal data can move freely between various entities of a corporate group and
highest level of protection of personal data should be adhered to by members of group
I. International Data Transfers
1. Introduction
a. Transfers of personal data to country outside of European Economic Area (EEA) may only take
place subject to
i. Third country ensuring adequate level of protection for personal data as determined by the
European Commission
ii. Provision of appropriate safeguards on condition that enforceable data subject rights and
legal remedies are available (where there is no adequate level of protection)
iii. A transfer of personal data fits within one of the derogations (where there is no adequate
level of protection)
b. Scope of data transfers
i. Transfer of personal data is not the same as mere transit; the processing in third country
completes transfer
ii. Not transfer of data
1. Technical routing of packet switch technology, internet email and web pages that
involve random transfer of personal data between computer servers located
anywhere in the world
2. Electronic access to personal data by travellers who happen to be physically
located for a short period of time in place where there is no adequate level of
protection
3. Court of Justice decision - Bodil Lindqvist; loading personal info onto website
hosted in another country and making it accessible to anyone is not transfer of
data to a third country
2. Rationale for prohibition
a. Cross-border flows of personal data necessary for expansion of international trade but level of
protection of natural persons should not be undermined
3. Safe jurisdictions
 a. Adequate level of protection in a country, territory, sector within country or organisation is assessed
by European Commission
b. When assessing the adequacy of the level of protection, the Commission must take in account the
following
i. Rule of law, respect for human rights and fundamental freedoms, relevant legislation, both
general and sectoral including concerning public security, defence, national security,
criminal law, access of public authorities to personal data, as well as implementation of
the legislation, data protection rules, professional rules, security measures, including rules
for onward transfer of personal data to another third country or international organization
which are complied with in that country or international org or case law as well as effective
and enforceable data subject rights and effective admin and judicial redress for data
subjects whose personal data is being transferred
ii. Existence and effective functioning of one or more independent supervisory authorities in
their country or to which an international org is subject with responsibility for ensuring and
enforcing compliance with data protection rules including adequate enforcement powers
for assisting and advising data subjects in exercising their rights and for cooperation with
the supervisory authorities of the EU Member states and
iii. International commitments the third country or international organization has entered into
and obligations arising from legally binding conventions or instruments as well as from its
participation in multilateral systems
c. After assessing adequacy of level of protection, commission may through an implementing act
provide for a mechanism of review at least every 4 yrs
i. Implementing act must specify territorial and sectoral org and identify supervisory authority
or authorities who are necessary to ensure compliance with data protection rules
d. Commission must monitor devt in third countries and org that could affect functioning of adequacy
decision adopted including those adopted under the original Directive
e. Where there is no longer an adequate level of protection, Commission should repeal, amend or
suspend the decision
f. Any adequacy decision adopted by Commission on basis of Directive remains in force unless
repealed, amended or suspended
g. Under Directive following countries were recognized
i. Andorra, Argentina, Canadá, Israel, Switzerland, Uruguay, Isle of Man, Jersey, Faroe
Islands, Guernsey
4. Safe Harbor and Privacy Shield
a. Original Safe Harbor
i. US Dept of Commerce and EU commission developed safe harbor as self regulatory
framework to allow organisations to satisfy requirements of EU Data Protection law in
respect of transatlantic data transfers
ii. 26 July 2000, commission issued decision stating safe harbor principles provided
adequate protection for personal data transferred from EU to US based companies
iii. Areas of concern: self-certification nature, participants did not perform annual compliance
checks, lack of active enforcement by FTC compared to domestic cases
b. Snowden Effect
i. Disclosures by Edward Snowden in June 2013 about mass surveillance ops carried out by
US National Security Agency and allegations that companies in the safe harbor scheme
might have been involved in US Surveillance activities resulted in calls to revoke Safe
Harbor
ii. Revocation out of the question since it would adversely affect EU biz interests;
renegotiation with US govt to address weakness in scheme 27 Nov 2013
c. Safe Harbor II
i. EU Commission began discussions with US Authorities and provide 13 recommendations
aimed at addressing Safe Harbor weaknesses focusing on transparency, redress,
enforcement and access to data by US Authorities.
 1. Most contentious recommendation; national security exception to be applied
when strictly necessary and proportionate
ii. Max Schrems case regarding validity of Safe Harbor; Max lodged complaint with Irish data
protection commissioner requesting termination of any transfers of personal data by
Facebook Ireland claiming FB Ireland - data controller for EU users’ data - could no longer
rely on Safe Harbor to legitimise transfer of his data to us because of wide access that US
intelligence agencies had to such data. Case was referred to CJEU who issued judgment
on 6 October 2015 invalidating Safe Harbor
d. Privacy Shield
i. 29 Feb 2016, Privacy Shield draft decision was released after 2 years of negotiation
ii. Privacy Shield ensures EU individuals can exercise their rights when data is processed in
US and legal limitations affecting access to personal data by US govt agencies
iii. WP29 opinion concerns regarding ability of US public authorities to access data
transferred, lack of key data protection principles from EU Law, protection for onward data
transfers, redress for individuals was too complex, no exclusion of massive and
indiscriminate collection of personal data originating from the EU by US Intelligence
agencies and that new ombudsperson was not sufficiently independent or powerful
e. Operation of Privacy Shield
i. 12 July 2016 adequacy decision concerning Privacy Shield released
ii. Came into operation 1 Aug 2016 and US biz subject to FTC and Department of
transportation can join privacy shield by filing online registration with Dept of Commerce
iii. Excludes: Banks, Financial Svs companies, Telecoms and other biz not subject to
jurisdiction of FTC and DOT
iv. Companies have to comply with the following seven principles
1. Notice
2. Choice
3. Security
4. Accountability for onward transfer
5. Access
6. Data integrity and purpose limitation
7. Recourse, enforcement and liability
v. Companies that self-certify with Privacy Shield principles need to take certain steps to
demonstrate compliance
1. Conduct internal compliance assessment to determine company’s ability to
comply with the principles with respect to info covered by certification
2. Register with third party arbitration provider to handle complaints form EU
individuals regarding handling of their info
3. Adopt Privacy Shield notice containing 13 specified details about company’s
privacy practices and publish notice online
f. Privacy shield likely to be challenged because of govt surveillance.
5. Providing Adequate Safeguards for data incase no adequate level of protection
a. Legally binding and enforceable instrument btn public authorities or bodies
b. Binding Corporate Rules
c. Standard data protection clauses adopted by the Commission
d. Standard data protection clauses adopted by a supervisory authority and approved by Comm
e. Approved code of conduct together with binding and enforceable commitments of controller or
processor in third country to apply appropriate safeguards including as regards to data subject
rights
f. Approved certification mechanism together with binding and enforceable commitments of controller
or processor in third country to apply appropriate safeguards including as regards to data subject
rights
g. Contractual clauses btn controller or processor and controller, processor or recipient of personal
data in the third country or international org or provisions to be inserted into admin arrangements
 btn public authorities or bodies specifically approved for that purpose by competent data protection
supervisory authority
6. Model contracts
a. Most frequently used mechanism to legitimise international data transfers to countries deemed not
to provide adequate level of protection
b. Under Directive, this was a contract pre-approved by EU Commission and established obligations
to both exporters and importers to safeguard personal data
i. In June 2001, Commission adopted a decision regarding standard contractual clauses
ensuring adequate safeguards for personal data transferred in EU to controllers in non-
adequate Jurisdiction
ii. Dec 2001, Second Decision regarding standard contractual clauses for transfer of
personal data to processors established in non -EEA countries not having adequate
protection
iii. 27 Dec 2004 Decision amended 2001 Decision by adding a second version of standard
contractual clauses to legitimise international transfers btn controllers
iv. 5 February 2010; Decision by Commission updating and replacing original controller to
processor standard clauses with a new set of model clauses
c. 2001 controller to controller clauses, 2004 alternative controller to controller clauses and 2010
controller to processor clauses valId until replaced or amended under GDPR
d. DPAs have authority to adopt standard contractual clauses or authorize transfers based on ad-hoc
contracts presented to them by parties
e. Some companies have created own version of data transfer agreements and sought approval by
DPAs. These include companies like Microsoft, Amazon and Google
7. Binding Corporate Rules (BCRs)
a. BCRs are a mechanism available to both controllers and processors to legitimise transfers within
corporate groups
b. Concept Developed by EU DPAs in 2003 to allow multinational org and companies to make
intraorg transfers of personal data
c. Companies draw up global set of rules based on EU Privacy standards voluntarily and seek
approval of national regulators
d. BCR requirements
i. Must include the following elements to be complete and valid
1. Structure and contact details of corporate group and each of its members
2. Data transfers or set of transfers including categories of personal data, type of
processing, purpose, type of data subjects affected, id of third countries in
question
3. Legally binding internally and externally
4. Application of general data protection principles - purpose limitation, data
minimization, limited storage period, data quality, data protection by
design/default, legal basis for processing of special categories of personal data,
measures to ensure data security, req regarding onward transfers to bodies not
bound by BCR
5. Rights of data subjects regarding processing and means to exercise those rights
6. Acceptance by controller/processor est on territory of member state of liability for
any breaches of BCR by any member concerned not established in Union
7. How info on BCR is provided to data subjects
8. Tasks of any data protection officer or any person in charge of monitoring
compliance
9. Complaint procedures
10. Mechanisms for ensuring verification of compliance with BCR
11. Mechanisms for reporting & recording changes to the rules and reporting those
changes to the supervisory authority
12. The cooperation mechanism with supervisory authority to ensure compliance
 13. Mechanism for reporting to competent supervisory authority any legal req to
which member of corporate group is subject in third country likely to have
substantial adverse effect on guarantees provided by BCR
14. Appropriate data protection training to personnel having permanent or regular
access to personal data
8. Codes of Conduct and Certifications
a. One interesting novelties of GDPR is addition of codes of conduct and certification mechanisms to
transfer personal data
9. Derogation
a. Consent
i. Explicit specific and informed consent of individual (must be informed of risks of such
transfers)
b. Contract Performance
i. Contract btn exporter and individuals to whom data relates when transfer is necessary for
performance of contract or necessary part of pre-contractual measures taken by exporter
at request of the individual
ii. Contract btn exporter and someone else; transfer lawful if contract is entered into at
individuals’ request or in their interests and transfer is necessary for performance of K or
conclusion of contract
iii. Contracts involve services, goods and employment contracts
iv. Whether a transfer is necessary for the performance of a contract will depend on nature of
goods or services provided under the contract rather than the way in which exporters’
operations are organized
c. Substantial Public Interest for crime prevention, detection, national security & tax collection
d. Legal claims where necessary for establishing, exercising or defending legal claims
e. Vital interests; where necessary to protect vital interests of data subjects related to life and death
f. Public registers
i. Exports of personal data can be made from info available on public register provided that
person to whom the info is transferred complies with any restrictions on access to or use
of info in register - extracts of public register of directors, shareholders, professional
practitioners not complete register
g. Not repetitive transfers
i. If transfer is not repetitive, concerns a limited number of data subjects, necessary for the
purposes of compelling legitimate interests pursued by controllers which are not
overridden by interests or rights and freedoms of data subjects and controller has
assessed all circumstances surrounding the data transfer and based on assessment has
provide suitable safeguards regarding protection of personal data
J. Supervision and enforcement
1. Introduction
a. The GDPR regulatory system
i. Self Regulation
1. Controllers and processors are required to supervise themselves and enforce the
need for appropriate measures
2. GDPR introduces accountability requiring controllers to show compliance with
data protection principles through DPOs, codes of conduct, certification schemes
for data protection seals and marks. Controllers also regulate processors and
processors regulate sub processors
a. Accountability
i. Controller should carry out performance testing, adjust and
refine activities to achieve good data protection
ii. Controllers relationship with processors includes supervision
and enforcement
iii. The requirement of notification of data breaches to DPAs and
individuals in serious cases
 iv. Controllers need to perform DPIAs and consult with DPAs
when DPIA indicates that processing would result in high risks
to rights and freedoms of individuals in absence of measures
taken by controllers to mitigate risks
b. Data Protection officers
i. GDPR mandates appointment of DPOs to focus on
compliance. They are immune from dismissal (quasi DPA) and
cooperate with DPA
c. Codes of conduct, certification schemes, seals and marks
i. Rep bodies for controllers and processors like industry
associations are encouraged to create codes of conduct on
any aspect of data protection and to monitor for compliance
ii. Any representative body can submit draft code to DPA for
approval
iii. Adoption of code is subject to consistency mechanism where
draft code will impact at least two EU member states
iv. Monitoring Body
1. Have to prove independence, expertise and avoid
conflicts
2. Should have procedures for effective monitoring for
compliance and dealing with complaints
3. Should take action against infringement
v. DPAs retain jurisdiction over subject matter covered by codes
and over controllers and processors who have undertaken to
follow them
vi. DPAs also revoke monitoring body’s accreditation
vii. Certification rules for seals and marks
1. Issued by certification bodies accredited by DPAs and
national accreditation bodies in member states
2. Need to show independence and expertise, avoid
conflict to get accreditation
3. Must have procedures for issuing, reviewing and
revoking seals and marks
4. Must have procedures for handling complaints
5. Certification bodies can be fined for breaching
certification rules and have accreditations revoked by
DPAs
ii. Regulation by Individuals/CSOs
1. Regulation through use of data subject rights
a. Individuals dissatisfied with ability to exercise rights can pursue both
admin and judicial remedies
i. Right of transparency, access to data, rectification, erasure,
restriction of processing, data portability, objection, informed of
serious breaches
b. Individuals can either pursue data subject rights against controllers or
go to DPAs and courts
2. Remedies for breach of obligations
a. Complaints regarding non-compliance can be submitted to DPAs or to
courts regardless of whether complaints have been submitted to
controllers
b. Individuals can pursue both litigation based on national laws and
complain to regulators but litigation is expensive. DPAs are cheaper
 c. Individuals can purse complaints be4 DPA for their place of residence,
before DPA for their place of work, before DPA for place where the
infringement took place if different
3. Representative actions
a. Regulation allows individuals to elect to be represented by NGOs known
as Civil Society Organisations and privacy advocates or pressure
groups
b. Representation can be on behalf of a single individual/group of
individuals eg in UK Vidal-Hall litigation and The Europe v. FB
4. Liability and compensation claims
a. Individuals can pursue compensation claims against controllers and
processors if they suffer material (financial)and non material damages
(distress) from non-compliance
b. Controllers/processors can defend themselves by showing that they
were not responsible for the event that gives rise to damage
5. Regulating Regulators
a. If an individual’s complaint is not acted on within 3 months, they can
take action against the DPA example Schrems case which involved the
Irish Data Protection Commissioner not undertaking an investigation
into the lawfulness of transfers of personal data to the US
b. Under Article 78 if an individual is unhappy with DPA’s decision
affecting them, either too lenient or failing to take the right kind of
corrective action
iii. Supervisory Authorities
1. Include national supervisory authorities in EU such as
a. Commission Nationale de l’informatique et des Libertes (CNIL) France
b. Information Commissioner’s Office in UK
c. Agencia Espanola de Protection de Datos in Spain
2. Supervisory authorities and their powers
a. Independent national regulators
i. Independent public authorities are designated by Member States to monitor
implementation of Regulation
ii. Such regulators should have sufficient skills and resources and not depend on TP or govt
1. Commission v Germany: European Court of Justice found that Germany had
failed to transpose an Article of the Directive cos the regulators were subject to
State Scrutiny. Similar case brought in Austria
b. Regulators and Law making
i. Regulators should be consulted by parliaments on data protection issues
ii. They have influence over legislative agendas
c. Regulator’s Tasks
i. Promote awareness and understanding of data protection including risks, safeguards and
rights
ii. Handle complaints and carry out investigations
iii. Support consistent application of Regulation internationally - includes working with the
consistency mechanism providing mutual assistance and supporting the European Data
Protection Board
iv. Monitor devt of information and communication technologies and commercial practices
d. More Discrete Tasks of DPAs under the Regulation
i. Receiving and dealing with complaints from individuals in excellent position to bring data
protection contraventions to the attention of the regulator
ii. Should publish lists where DPIAs should be carried out and where they are not required
iii. Codes of conduct, certifications, seals and marks - encourage their devt and provide
opinion regarding whether draft code, amendment, or extension compiles with GDPR
iv. Contractual clauses and BCRs for international transfer
 1. Controllers and processors can obtain authorizations from DPAs for use of
contractual models to transfer personal data from EU subject to consistency
mechanism
v. Records of infringement and action taken
vi. Charge costs on manifestly unfounded or excessive requests
vii. Should make public statements about their activities; annual reports promote transparency
regarding activities of the DPAs
e. Regulators powers
i. Investigatory powers
1. Can start investigations regarding controllers/processors’ non compliance with
GDPR
2. DPAs can seek disclosure of documentary evidence such as policy frameworks
built; privacy by design frameworks, processor contracts, records of data
processing activities compiled, breach logs maintained and risk assessments
undertaken; third party reports, external audit report. Excluded are privileged info
3. DPAs carry out operational reviews including audits and inspection of premises
and processing equipment
ii. Corrective powers
1. DPAs have power to warn controllers and processors about dubious data
processing activities and also stop biz activities
iii. Authorization and advisory powers
1. Regarding codes of conduct, certifications, marks and seals and international
transfers of personal data
f. Litigation by Regulators
i. Can take legal proceedings against controllers and processors
g. Protecting controllers and processors from precipitous regulatory action
i. Regulators and individuals can make wrong decisions; need to protect controllers and
processors against regulatory action
h. Professional secrecy
i. Need for DPAs and staff to maintain confidentiality
3. Competence and international cooperation
a. Regulating controllers and Processors established in the DPAs member states
i. Each DPA shall be competent in the territory of its member state
b. Competence regulating cross-border processing - Lead Authority rules apply here only
i. Where controller/processor is established in multiple territories, lead authority will be
required to regulate cross-border processing
ii. Non lead authorities can take action in cross-border situations where complaints is in their
territory and substantially affects individuals only in their territory
iii. DPA asserting competence will need to notify lead authority - may trigger battle of
competence
1. If lead authority rejects assertion of competence and decides to take up matter
by itself, procedure under Art 60 must be followed
2. If lead authority is accepting assertion of competence that DPA can proceed with
mutual assistance and joint operations
iv. Disputes and challenges regarding competence in multinational and cross border
situations arise following a complaint by an individual to one of the DPAs
c. Lead Authority - Achieving Cooperation and Resolving Disputes
i. Occurs with request for mutual assistance or joint operations
ii. Also occurs when non-lead DPA asserts competence
iii. Procedure
1. Draft decision by lead authority to other concerned DPAs that might trigger
comments, reasoned objection from another DPA or simply agreement to draft
decision
2. Reasoned objection that lead authority can reject or accept objection
 a. If accepts objection - issue revised draft decision. Other DPAs can
accept the revised decision or make another reasoned objection,
resulting in another draft decision and process continues until impasse
is broken with a referral to EDPB
b. Reasoned objections received but rejected, lead authority follows
consistency mechanism
c. No objections are made at first draft decision stage, lead authority and
DPAs are deemed to be in agreement and draft decision binding with
timetable procedure for all key events
d. If draft decision is accepted, lead authority adopts it and notifies
controller/processor at main establishment or single establishment, the
other DPAs and the EDPB. If complaint was from an individual via a
non-lead DPA, individual will be notified of outcome
i. Burden shifts to controller/processor to comply by reporting
back to lead authority regarding how this is achieve
d. Mutual Assistance and Joint Operations btn DPAs
i. DPAs are mandated to put in place appropriate measures to provide assistance without
undue delay subject to one month long stop
ii. Requests must be supported by necessary info to enable receiving DPA to understand
nature and purpose of the request
iii. Receiving DPA must comply unless there are exceptions. If no assistance in a month,
requesting DPA can adopt a provisional measure triggering urgency procedure
iv. If controllers and processors are established in multiple territories or processing activities
substantially affect a significant number of individuals in multiple territories all concerned
DPAs have right to participate in joint operations
e. Consistency Mechanism and the EDPB
4. The European Data Protection Board
a. EDPB succeeds Art 29 WP; consists of chairperson, heads of DPAs, European Data Protection
Supervisor and Commission
b. It is at heart of the Consistency Mechanism
i. Opinions of EDPB
1. Issues opinions on lists of circumstances when DPIAs are required on adoption
of proposed codes of conduct that affect multiple member states, criteria for
accreditation of code monitoring bodies and certification bodies, contractual
clauses approved by DPAs and BCR authorisations
2. Issued after DPAs have done initial work on rules on DPIAs etc and need to send
decision to EDPB for opinions -timetabled process for pdtn of opinion
3. Any DPA, EDPB Chairperson or Commission can request opinions on matters of
general application or producing effects in multiple member states
ii. Dispute Resolution by EDPB
1. Triggered when a lead authority rejects reasoned objection to draft decision
concerning cross-border processing
2. Triggered when there is dispute btn DPAs regarding who is competent to
regulate main establishment
3. Triggered when DPA fails to refer decisions on DPIA lists, codes of conduct and
international transfer mechanisms to EDPB. Outcome of dispute resolution
procedure is adoption of binding decision
4. Final decision made by lead authority or other receiving DPA is based on binding
decision
iii. Urgency Procedure
1. DPAs required to immediately adopt provisional measures that produce legal
effects in their territories in order to protect rights and freedoms of individuals
 2.
Provisional measures subject to 3 month lifespan and whenever they are
adopted, they have to be referred by DPA with reasons to other DPAs that have
concern in matter, EDPB and Commission
3. Provisional measures lapse after 3 months unless DPA considers final measures
will need to be urgently adopted. In such circumstances, can request an urgent
opinion/ urgent binding decision from EDPB
5. Role of the European Data Protection Supervisor (EDPS)
6. Sanctions and Penalties

Article 88(4) Article 88(5)

Fines up to 10 mil Euros for non-undertakings (not engaged in Fines up to 20 mil euros for non-undertakings
economic activities like public authorities)

Fines up to 10 mil euros or 2% of total worldwide annual Fines up to 20 mil euros or 4% of total worldwide annual
turnover in preceding year for undertakings (companies) turnover in preceding year for undertakings (companies)

Articles 8, 11, 25-39, 42, 43 (controller and processor Art 5,6,7,9, 12-22, 44-49, 58(1) and (2)
infringements); articles 42 and 43 - certification body
infringements and Article 41(4) - monitoring body infringements

Covers children consent, data protection by design/default, Covers data protection principles, lawfulness of processing,
engagement of processors by controllers, records of consent, processing of special category data, data subject
processing, cooperation with regulators, security, breach rights, international transfers, failure to comply with DPAs
notification, DPIAs, DPOS, codes of conduct and certifications investigatory and corrective powers

a. Factors to be considered before fines are imposed

i. All fines have to be effective, proportionate and dissuasive and can be imposed with
exercise of DPAs investigatory and corrective powers
ii. The following factors will need to be considered before a fine is imposed
1. Nature, gravity and duration of infringement taking into account nature, scope or
purpose of processing concerned
2. Intentional /negligent character of infringement
3. Action taken by controller/processor to mitigate damage suffered by data
subjects
4. Degree of responsibility of controller/processor taking into account technical and
organisational measures implemented by them
5. Previous infringements by controller/processor
6. Degree of cooperation with supervisory authority in order to remedy infringement
and mitigate possible adverse effects of infringement
7. Categories of personal data affected by infringement
8. Manner in which infringement became known to supervisory authority and to
what extent controller / processor notified infringement
9. Whether measures have previously been ordered against controller/processor
with regard to same subject matter, compliance with those measures
10. Adherence to approved codes of conduct/approved certification mechanisms
11. Any other aggravating or mitigating factor applicable to circumstances of case
such as financial benefits gained/losses avoided directly/indirectly from the
infringement
iii. Maximum Fines for Non - undertakings
1. DPAs allowed to impose fines up to 10 mil Euros or 2 percent of worldwide
annual turnover in financial year before the fine. This is raised to 20 mil Euros or
4 percent depending on whether processor or controller is an undertaking or not
a. An undertaking is an entity engaged in commercial activity - companies
 2.Public authorities can be taken out of the fining regime above since Regulation
allows member states to law down rules regarding fines to be imposed on public
authorities
iv. Maximum Fines for Undertakings
1. A company that is a member of a group of companies can be fined maximum
percentage of its individual TO rather than percentage of groups’ TO - assuming
percentage threshold is higher than 10 mil or 20 mil number
b. Law Enforcement Data Protection Directive
i. Covers law enforcement community in public sector
ii. Has a mirror supervision and enforcement regime
iii. Lacks lead authority concept and financial penalties
c. Regulation supervision and enforcement - key provisions pg 253 - 258
K. Consequences for GDPR violations
1. Process and procedures
2. Infringements and fines
3. Data subject compensation

III.Compliance with European Data Protection Law and Regulation

A. Employment Relationship
1. Introduction
a. Employers collect and use personal data about employees
i. Recruitment, benefits, salary, personnel files, sickness records, monitoring and appraisals,
personnel reports and severance
ii. Need to collect data to comply with employment law
iii. Member states may provide rules regarding processing employees’ personal data
1. Finland has laws to deal with employee data
2. Germany has specific workplace privacy laws regarding surveillance
3. Some member state laws require consultation with national works councils
iv. Where member states implement national law, they must notify European Commission
2. Legal basis for processing of employee data
a. Consent from employees
i. Reliance on consent where employee has genuine free choice and is able to withdraw
consent without detriment
ii. Should be avoided because of unequal balance of power in employer employee
relationship
iii. Also even though consent is provided, processing of employee data may be unlawful or
unfair under local law
iv. Consent given may result in collection of data disproportionate to employer’s purpose
v. Only use consent when it is last resort and absolutely necessary
vi. In case it is necessary, employers must obtain written employee consent regarding how
employer seeks to use personal data
b. Necessary to fulfill employment contract btn employee and employer
i. Example includes paying employee
c. Necessary for compliance with legal obligation to which employer is subject
i. Example includes providing salary details to local tax authorities
d. Necessary for employer’s legitimate interests
i. Public authorities can not rely on legitimate interest
3. Processing Sensitive data
a. Processing sensitive data permitted under GDPR to carry out obligations and exercise specific
rights under employment, social security and social protection law where authorized by EU/Member
State law or Collective agreement
b. Processing of sensitive data depends on member state law
i. Poland has data that employer should ask employee or job applicant
ii. Portugal: DPA authorization needed b4 sensitive data is processed
 iii. Italy; DPA has issue authorization related to processing of employee data
c. Necessary to exercise or defend legal claims eg employee’s claim for unfair dismissal by fr
employer
4. Providing notice
a. Notice should be provided to employees informing them about use of their data
b. Employers can use employee handbook or specific notification document provided to all new
employees and available elsewhere on request such as company’s intranet
c. Notice must include: purposes for processing, legal basis, legitimate interest, ground relied upon,
recipients of the data, where data is transferred to and for how long employer retains it
5. Storage of personnel records
a. Data is collected from time of application. Where individual becomes employee, data can be
retained (employer has legitimate reason). Once they leave, no need to retain
b. Company law, employment law, health and safety law require employers to retain employee data
c. Employees may retain data to comply with labor, tax and social security legislation or other
regulation
d. Once employment ends, employer should change internal access to former employee’s records
6. Workplace monitoring and data loss prevention
a. Employee’s right to privacy is balanced with legitimate interests of an employer to operate its biz
and protect organization from rogue actions of employee
i. Background checks
1. Include checking social networking sites to verify educational background to
checks on past criminal activity
2. Do not use these checks to compile blacklists or id individuals not to hire
3. Blacklists significant privacy intrusion and illegal
4. Rules from background checks stem from data protection and employment law
a. Finland 2002 Act on Background Check law defines who can conduct
background check and requires consent of individual who is subject of
the check
ii. Data loss prevention
1. Biz use DLP tools to protect IT infrastructure and confidential biz info from
internal and external threats.
2. A form of employee monitoring though focus is on preventing loss of org’ data
b. Employee monitoring
i. Monitoring of employees including use of employer equipment depends on the following
principles
1. Necessity
a. Monitoring must be necessary for employer’s purpose
b. DPIA and privacy impact assessment should be carried out when
monitoring is likely to result in high risk to rights and freedoms of
individuals
c. DPIA shows whether planning monitoring is really required and
proportionate
d. DPIA also reveals privacy risks at early safe and consider what needs to
be done to mitigate risk
e. DPIA -Required if monitoring is systematic and extensive evaluation of
personal aspects of individuals based on automated processing and on
which decisions are based that produce legal effects or similarly affect
the individuals
2. Legitimacy
a. There should be lawful basis for monitoring; eg ensure work safety,
prevent disclosure of confidential info and ensure pornographic sites not
visited
b. Employers should consult local employment law-monitoring not
permitted in some cases
 c. Employers should consider collective agreements/ consult work councils
like in Germany
d. Employers should consider implications under human rights law;
decisions by CJEU on Charter of Fundamental Rights and European
Court of Human Rights on European Convention on Human Rights
e. Monitoring is intrusive but in some cases it is permitted
i. Screening of emails to detect viruses and filter unsolicited
commercial email
ii. Some jurisdictions permit monitoring of internet time or
regularity of telephone calls made to non-work numbers but not
content of websites / phone conversations
iii. Employers can block access to some websites to discourage
employees from visiting the websites
3. Proportionality
a. Proposed monitoring should be proportionate to employer’s concern
b. Wholesale automated monitoring of emails is proportionate to ensure
security of company IT systems where monitoring is carried out using
technical means to detect weakness in systems
c. Monitoring where possible should be limited to traffic data generated by
emails such as to who sent email and what time rather than content
d. Collective bargaining agreement useful regarding proportionality of
monitoring activity
4. Transparency
a. Necessary to meet notice requirement and set employees’ expectations
about how time at work will be monitored
b. If no notification, employer can lose action against rogue employee
whose behavior was caught through monitoring
c. Employees enjoy a certain degree of privacy in workplace
d. Employers can introduce an acceptable use policy for new and existing
employees regarding the expected standard of use for employer comm
equipment (telephone, email, internet)
i. Should specify how much private use of employer equipment is
ok (employees allowed limited private use of employer
equipment)
ii. Remind employees of the use of company equipment and of
the right of employers to monitor their use
e. Convert monitoring - when employer monitors employee identified of
wrongdoing / criminal activity and decides to engage in undercover
surveillance
i. Permitted in some EU jurisdictions and not permitted in others
ii. WP29 prohibits it unless local law permits it

5. Information to be provided to employers

a. Company email/internet policy describing extent facilities can be used
for personal or private comm
b. Reasons for and purposes for surveillance if any is being carried out
c. Details of surveillance measures taken
d. Details of any enforcement measures ; when and how employees are to
be notified of breaches
e. Monitoring of Email
i. Whether a worker is entitled to have email account only for
work; whether use of webmail accounts is permitted at work
and whether employer recommends use by workers of a
 private webmail account for purpose of accessing email for
personal use
ii. Arrangements in place to access contents of workers’ email
when absent
iii. Storage period for any backup copies of messages
iv. Info that concerns when emails are definitively deleted from
server
v. Involvement of workers’ representatives in formulating the
policy
f. Monitoring of Internet Use
i. Specify what can be accessed or not; conditions on which
private use of internet is permitted
ii. Info about systems implemented both to prevent access to
certain sites and misuse
iii. Info about employer’s representatives involvement in
implementation of policy and investigation of alleged breaches
g. If employer detects misuse of employer equipment by employee notify
employee unless there is important reason to justify surveillance without
employee notification
h. Employee may need to consult work councils regarding monitoring
arrangements and in some cases need their consent b4 commencing
monitoring. Local laws will vary
6. Rights of accused employee
a. Exercise caution when dealing with potential misuse of internet by
employee. Could be accidental
7. Unlawful monitoring by employer
a. Hard to justify monitoring involving collection of sensitive personal data
b. Monitoring that is particularly intrusive is unlawful
c. Covert surveillance unlawful unless employer has DPA’s consent or
exception applies
d. Employers should not access personal comm of employees on work-
related email if they are marked private
7. EU Works councils
a. Works councils are bodies that represent employees and have certain rights under local law that
affect the use of employee data by employers
b. They have an obligation to safeguard employee rights including data protection and privacy rights
c. More active in France, Germany and Italy. UK does not have work councils and trade unions
inactive
i. Germany works councils object to use of employee monitoring devices
d. Employers engage with works councils in following ways:
i. Notifying the works council; Local law may require employer to notify works council about
changes to work environment that will affect employee working conditions
ii. Consulting with works council; Local law may require employer to consult with works
council about proposed data processing activity; works’ council may issue an opinion that
is not binding on employer
iii. Seeking approval of works council; Local law may give works council right to approve or
reject certain decisions of employer. Known as right to codetermination. Where works
council rejects a decision, employer may challenge this in the local courts
e. In some cases, processing activity that involves employee data also involves interacting with DPA,
DPA may not approve processing unless and until works council has been involved
f. Failure to engage with works council would mean that processing is unlawful and works council
may have right to seek an injunction and employer subject to financial penalties
8. Whistleblowing systems
a. Sarbanes-Oxley
 i. Whistle blowing schemes permit employees to expose any unlawful or improper activity
taking place within the workplace
ii. US Companies with EU subsidiaries/affiliates are bound by Sarbanes Oxley Act
1. Creates conflict btn SOX requiring companies to facilitate ability of employees to
report wrong-doing and EU Data Protection laws limiting use of personal data
due to potential prejudice to individuals
iii. SOX passed because of high profile corporate and accounting scandals involving global
companies
iv. Ensures companies are more responsible and accountable
v. Companies need to establish a way to receive confidential complaints regarding actual or
potential fraud from misappropriation of assets and/or material misstatements in financial
reporting
1. Companies implement company policy that reinforces strong adherence to
internal controls
2. Encourages those with knowledge of actual or potential fraud to report such
instances
3. Reiterating confidential nature of reporting and protection for whistle-blower
4. Some companies have an independent third party whistle blowing or ethic hotline
provider available to all employees to report their complaints
vi. Spain and Portugal sensitive about employees making anonymous reports
b. Issues for compliance
i. Employer seeking to comply with EU Data protection law while operating whistleblowing
scheme needs to:
1. Conduct DPIA for whistle blowing scheme to assess impact on personal data
2. Liaise with work councils as required under local employment law
3. Whether consent from employees is required and in what from
4. Whether compliance is particular jurisdiction is complicated due to policy of DPA-
Portugal
5. Developing whistle blowing policy and process that is transparent to employees
informing them of scope of scheme and how personal data will be used in
scheme
6. Ensuring individual employee’s right are under data protection law are protected
appropriately under the scheme
7. Mechanism for transferring personal data in reports outside the EU to a non-EU
based company for further processing either in form of standard contractual
clauses o BCR
8. Processing contracts with any processors who are based outside EU where such
contracts will need to comply with gdpr concerning appointing processors and
legitimising international data transfers
c. Whistle blowing policy
i. French DPA first to consider lawfulness of whistle blowing schemes under EU Data
Protection Law
ii. WP29 Opinion on whistleblowing
1. Individuals reporting; limit persons entitled to report to those in position to know
about potential conduct of incriminated persons
2. Individuals incriminated: Limit individuals who may be incriminated to those who
are known likely to be known because they work in same section or department
by persons reporting them
3. Confidentiality vs Anonymity: ID of whistle-blower should remain confidential.
Anonymous reporting should be discouraged
4. Scope of reports: Limit scope to reportable matters that realistically affect org
corporate governance
5. Management of reports: Should be subject to objective, confidential and
unbiased investigation
 6. Data retention: Strict data retention after investigation like 2 months and delete
immediately any reports found to be unsubstantiated
7. Information provision: Policy should be clear in which the whistle blowing scheme
is operated
8. Rights of incriminated persons: include circumstances when rights of
incriminated persons may be limited (info provision, access, rectification, erasure
and restriction) so that investigation is not jeopardised
9. Security of reports: Policy developed to deal with reports collected via the
scheme
10. Transfers outside the EEA- Data processed outside European Economic Area
must be processed according to EU Data Protection Standards
9. 'Bring your own device' (BYOD) programs
a. Employees permitted to use own personal devices for communications in workplace
b. Employee may integrate work email onto personal device to get both work and personal comm
c. However, employer should seek strong protection over device since it has work related data
d. Companies introducing BYOD should
i. Establish BYOD policy explaining how to use BYOD and responsibilities
ii. Be transparent about where data processed using device is stored and measures taken to
ensure security
iii. Ensure transfer of data from personal device to company servers is secure to avoid any
interceptions as far as possible
iv. Consider how to manage personal data held on device once employee leaves the
company or the device is stolen or lost. Mobile device management software can be used
to locate devices and remove data on demand

B. Surveillance Activities
1. Introduction
a. Surveillance is getting easier
i. Equipment for monitoring is getting cheaper and sophisticated
ii. Technological and economic barriers to surveillance facilitate collection, exchange,
retention and processing of personal data
iii. Info collected is used for national security, prevention and detection crime, personalization
of consumer svs
iv. Internet and technology convergence and proliferation of mobile svs means more info is
being generated and available for surveillance
v. Four types of surveillance
1. Communications data
2. Video surveillance
3. Biometric data
4. Location data
b. Technology
i. Purpose of new technologies is to make our lives safer, easier and more pleasant and
generate wealth of data
1. Closed Circuit TV record our actions to help protect security at home, work and
public places
2. Biometric data can be used for identification, authentication and verification
3. Payment cards keep track of every purchase we make with card
4. Mobile phones generate accurate info about location and moves
5. Technologies can lead to networked interconnection of everyday objects known
as the Internet of Things
ii. Surveillance activities undertaken by public and private authorities for lawful purposes
1. Employee monitoring
2. Social networks analysis and mapping
3. Data mining and profiling
 4. Aerial surveillance
5. Satellite imaging
6. Telecommunications surveillance for enforcement, improvement of commercial
svs and online behavioral advertising
7. Monitoring of people’s movement through mobile telecommunications, location
data, CCTV cameras or geolocation technologies such as the global positioning
system(GPS) and biometric surveillance
c. Regulation
i. Purpose of privacy and data protection law and regulatory practice is to regulate, limit and
condition surveillance activities to ensure where surveillance activities result in invasion of
privacy, it is lawful, fair, and proportionate
1. Such restrictions acts as safeguards to protect states, society and individuals
2. National and public security, prevention and detection of crime and protection of
data subject and rights of freedoms of others are valid reasons for restriction
ii. Carried out by
1. Public and state agencies for national security or law enforcement purposes
conducted with respect to individual rights based on Charter of Fundamental
Rights
2. Private entities for their purposes subject to EU and member state legislation
governing confidentiality, privacy, data protection and civil rights such as those
under employment law
iii. Covert investigations or video surveillance can be carried out for purposes of preventing,
investigating and detecting and prosecuting criminal offenses and safeguarding against
and preventing threats to public security so long as they a necessary and proportionate
measure in a democratic society with due regard for legitimate interest of natural person
concerned
iv. State agencies can monitor, collect and share data to prevent crime and terrorism
2. Surveillance by public authorities
a. Restriction of rights of data subject allowed where it respects the essence of fundamental rights
and freedoms is a necessary and proportionate measure in a democratic society based on Charter
of Fundamental Rights and European Convention for protection of Human Rights and Fundamental
Freedoms
3. Interception of communications data
a. Refers to traditional surveillance like interception of postal services and use of human spies and
surveillance devices
b. Receding in favor of modern high tech surveillance telecommunication including internet activity
c. Electronic communications comprise
i. Content of a communication
1. Telephone call conversation btn parties to call; in relation to SMS, words in a
message; in relation to email-email subject line, words in email body and
attachments
ii. Metadata
1. Data about data generated or processed as consequence of a communication
transmission providing context to the communication. These include:
a. Traffic data
i. Includes info about type, format, time, duration, origin, and
destination, routing, protocol used, originating and terminating
network of communication.
ii. In relation to telephone call includes calling and called
numbers, in relation to email-sender and recipient email
addresses and size of attachments
b. Location data
i. Refers to latitude, longitude and altitude of user’s equipment,
direction of travel, level of accuracy of location info,
 identification of network cell (Cell ID) in which user device is
located at a certain time
c. Subscriber data
i. Name, contact details and payment info
ii. Content of comm req greater protection than metadata
iii. Metadata reveals the following info:
1. The who - parties involved
2. The where - location of parties
3. The when - time and duration
4. The what - type either email or phone call
5. The how - device used, mobile phone or tablet
iv. Metadata can be used to identify individual hence personal
data
v. EU attempt to make telecommunication services retain call
metadata for longer than justified from operators biz needs
vi. The Data Retention Directive 2006/24/EC governing retention
of data generated or processed in connection with provision of
publicly available electronic communication svs or of public
communication networks was invalidated by CJEU for being
disproportionate and infringing individuals’ privacy rights
vii. Member states decided to rewrite retention laws.

4. Closed-circuit television (CCTV) / Video Surveillance

a. CCTV may capture images of people or things that may be used to identify an individual such as
car number or license plate.
b. If video surveillance involves processing of personal data, must comply with requirements of
Regulation and LEDP Directive
c. If an image is captured whether static (picture of face) or moving (video of individual moving) it falls
within Regulation
i. Biometric data - personal data resulting from specific technical processing relating to
physical, physiological or behavioral characteristics of a natural person which allow or
confirm the unique identification of that natural person such as facial image or
dactyloscopic data
d. Lawfulness of Processing
i. Consent inapplicable but legitimate interest pursued by data controller or third party is
valid legal basis for processing personal data captured by CCTV
ii. However because biometric data falls within special categories of personal data, one of
permitted conditions will need to be applied by biz
1. Controller will need to rely on provision of member state law to conduct video
surveillance in a particular context (for employers where employee consent
inapplicable); in the public interest for a public area, in exercise of public authority
such as for monitoring traffic
e. Data Protection Impact Assessment
i. Data Protection Impact Assessment will need to be completed if
1. Video surveillance is considered to be high risk
2. Involves systematic monitoring of a publicly accessible area on large scale or
3. Video surveillance has been included by the relevant supervisory authority on list
of data processing operations requiring DPIA
ii. DPIA will need to describe
1. Processing to be carried out
2. Purposes of processing
3. Legitimate interest pursued by the data controller
4. Assessment of what it is necessary and proportionate in relation to purposes
 5. Assessment of risks to rights and freedoms of data subjects impacted by
surveillance
6. Measures required to address risks, protect personal data and demonstrate the
compliance, taking into account rights and legitimate interests of data subjects
and persons concerned
iii. If DPIA indicates high risks can’t be sufficiently mitigated then data controller should
consult supervisory authority prior to using video surveillance
iv. If public interest is lawful basis of processing, member states may make consultation with
supervisory authority mandatory regardless of mitigation
v. Use of video surveillance is proportionate, adequate, relevant and not excessive where
less intrusive methods have been considered found to be inapplicable or inadequate for
intended lawful purpose (improved lighting, alarms, armoured doors or access cards)
vi. Proportionality extends to selection of particular system and type of technology like remote
control, zooming functionality, facial recognition or sound recording capabilities
1. Consider problems, benefits to be gained from CCTV, whether images of
identifiable individuals are necessary or whether images not identifying
individuals suffice, ways to minimize intrusion on those being monitored
vii. Proportionality also extends to key aspects of use of CCTV and whether processing of
CCTV footage is proportionate to purpose for which CCTV system is used. These include:
1. Operational and monitoring arranges
2. Retention of CCTV footage; retained if strictly necessary for purpose such as
evidence in legal proceedings or subsequent investigations
3. Need to disclose CCTV footage to third parties like police
4. Whether CCTV footage will be combined with other info eg identifying individuals
5. Surveillance areas where people have high expectation of privacy such as
changing rooms or lavatories. Only monitor such areas where it is necessary to
do so and in the most exceptional circumstances and only where necessary to
deal with very serious concerns. Individuals should be made aware that they are
under surveillance
viii. Measures to protect personal data and rights of individuals include:
1. Staff training: Authorized personnel operating system and accessing footage
2. CCTV Policy; addressing data retention, privacy issues and processing
purposes, disclosure to third parties, responding to subject access requests etc
3. Regular reviews to ensure compliance: proactive checks and audits carried out
on regular basis to ensure continuing compliance
f. Data Subjects and CCTV
i. Overt video surveillance where controller has no relationship with data subjects and
cameras cover a large public place, be transparent so that individuals are aware of CCTV
ii. Such info will need to be visible and placed within reasonable distance of monitored area
1. Prominent camera symbol with further info is a recognized approach
2. Info should include purpose of processing, identify controller and contact details
3. Controller should be ready to provide full info when data subject makes contact
iii. Where CCTV footage includes pictures of other people, measures should be taken to
safeguard their privacy by blurring images
5. Biometric data
a. Biometrics is technology where unique identifiable attributes of people are used for identification
and authentication
i. Include DNA, Fingerprints, palms, vein patterns, retina and iris patterns, odour, voice,
face, handwriting, keystroke technique and gait
b. May be in raw form (image of face/fingerprint) or biometric template that is digital representation of
distinct characteristics extracted from raw data
i. Biometric template must include sufficient detail to allow an individual to be identified from
the population of individuals stored by biometric systems
c. Biometric systems may be used in private or public sectors for the following purposes
 i. Identification - who are you
ii. Authentication - Are you who you claim to be
d. To be considered as special category of data, the biometric data should be processed to uniquely
identify a natural person; if used to permit access to location as part of group of identifiers then not
special category of data
e. Member states may implement further restrictions on the processing of biometric data
6. Geolocation
a. Introduction
i. Location based services utilise info about location to deliver applications and svs including
social networking and gaming, entertainment, advertising and marketing, information,
navigation, commerce, payment, tracking goods and people, security and emergency
response svs
ii. LBS rely on technical ability to localize a portable device such as mobile phone, GPS
receiver, SatNat Device, Radio Frequency Identification tag (RFID), chip in a credit card or
travel card
b. Main types of location data
i. Satellite network generated data such as GPS and Galileo Global Satellite Navigation
system data. Examples of LSB using satellite generated data include navigation svs,
security and social networking svs
ii. Cell based mobile networked generated data. Examples of LBS using mobile network data
may include location specific information services or advertising delivered on mobile
handsets; data generated from other wireless technologies such as sensor based systems
(biometrics scanners or license plate scanners for vehicles) and proximity, near field or
personal area networks (Bluetooth, Wi Fi, near-field communication or RFID that can
detect presence of a device within a small relatively local area). LBS examples include
RFID applications and contactless payments using NFC enabled smartphones.
iii. Chip card generated area (data generated from use of payment cards or access cards
such as those used by employees to enter their workplace or members of public using a
metro system)
iv. Googles and location data
1. Implicit location info - Google infers user is interested in a place or user might be
at the place. Eg when user manually types a search query for a particular place
and google shows them places around that place
2. Internet traffic info such as IP address can be used to identify country of users’
device and allow google to assume correct language and locale for search
queries
3. Device-based location svs: Google Maps for mobile require more precise location
info and user to enable device based location services on their device. Services
using GPS signals, device sensors, Wi-Fi access points and Cell IDs can be
used to derive or estimate precise locations
c. Location data under regulation
i. An identifier that may identify or lead to identification of person. If used alone or in
combination with other info to identify someone then it is personal data
ii. Location svs may allow tracking of individual in real time through an app or from records
maintained by mobile operators
iii. Location history may allow certain info to be inferred about individual including political
opinions, religious beliefs or medical conditions
iv. May be employed for stalking or harassment
v. An app developer may need to decide whether use of app that makes use of location data
may result in high risk to user and trigger the requirement to complete DPIA
C. Direct Marketing
1. Introduction
a. Direct marketing involves use of data collected through the addresse’s device such as location data
or data collected from cookies
b. No longer limited to postal mail and email but also sent via third platform messages, push and in
app messaging
c. National laws, regulations and codes apply to direct marketing
d. Under regulation, direct marketing includes any form of sales promotion even direct marketing by
charities and political organizations (for fundraising purposes) directed to particular individuals
i. Direct marketing only applies where individuals’ personal data is processed to
communicate marketing message to them. The following is not direct marketing
1. Marketing communications not directed at individuals
2. Messages purely service related in nature - status of an order
e. Digital and non-digital marketing
i. Where direct marketing is sent over electronic communication networks such as phone,
fax, email, SMS/MMS, eprivacy Directive applies
ii. Directive and Regulation apply to all direct marketing communications sent by post,phone,
fax, electronic mail, online advertising targeted at individuals based on internet browsing
history
f. Marketing requirements under the regulation
i. Lawful basis for collection and use of data subjects’ personal data rely on unambiguous
consent or legitimate interest
ii. Provide individuals with fair processing info explaining personal data will be used for
marketing purposes
iii. Implement appropriate technical and org measures to protect personal data processed
including writing contracts with data protection obligations with service providers that send
direct marketing on data controller’s behalf
iv. Not exporting personal data outside of EEA unless adequate protection is in place
v. Fully satisfying compliance duties under Regulation
g. Right to opt-out
i. Individuals have right to refuse or opt out of direct marketing sent by data controller
ii. Opt out applies if data collection and further processing is based on legitimate interest
iii. Regulation also requires
1. Individuals are always informed of right to opt out at time of first comm with the
data subject
2. Marketers must allow individuals to opt out across all marketing channels
3. Data controllers should honor opt-outs in timely fashion and no cost to individuals
4. Personal data to be deleted unless retention is strictly required for compelling
legitimate grounds - exercise or defence of legal claims
5. Profiling data must be removed as well
iv. Where individuals choose opt out, controllers should suppress and not delete contact
details so that they retain a record that those individuals will not be sent any marketing
communications unless and until they change their mind
v. Member states have a Robinson List or Preference services that allow individuals to
submit a global opt-out from all direct marketing over a particular communication channel
regardless of the originator of the marketing
1. Many EU States have separate preference svs for mail, telephone, fax
2. Most EU member states require data controllers to cleanse marketing contact
lists against applicable national opt out registers in addition to own internal opt
out records before conducting direct marketing campaigns
3. Failure to cleanse a robinson list is violation of national law
4. UK has Mail Preference Service for postal marketing but no legal requirement to
cleanse a marketing database against this
h. Marketing requirements under the ePrivacy Directive
i. Consent and info requirements from data controllers to marketing by phone, fax and
electronic mail including SMS and instant messaging
ii. Most forms of digital marketing req prior opt-in consent of intended recipient
 1. Limited exemption for email marketing communicated on opt out basis to
individuals whose details data controller collected in context of sale of pdt or svs
iii. ePrivacy directive has rules that impact location based marketing and data controllers’
ability to use cookies for online behavioral advertising
iv. ePrivacy provisions have no direct effect had to be implemented in national laws of EU
member states.
2. Telemarketing
3. Direct marketing
a. Postal marketing
i. Not subject to ePrivacy Directive since it is not digital marketing
ii. Marketers need to satisfy general requirements under national data protection laws and
Reg
1. Include ensuring lawful processing, transparency respecting opt-out requests and
other data subjects’ rights
iii. Consent requirements
1. Some EU states mandates consent for direct postal marketing - Belgium, Greece
and Spain
2. If consent does not apply, controllers can rely on legitimate interests to send
direct postal marketing. Should consider:
a. Whether the individual is an existing customer of the data controller
making it more than likely that the individual would receive marketing
b. Nature of pdts and svs that the data controller wishes to market and in
particular whether the individual would expect controller to send
marketing material
c. Whether data controller has previously told individual it will not send
direct marketing communications
3. In Austria, Denmark and Netherlands, data controllers must cleanse contact lists
against applicable national opt out registers b4 sending direct postal marketing
unless controller has valid opt-in consent from the individual
4. Clearance against national opt-out registers may be necessary to comply with
self regulatory standards like Direct Marketing Assoc Code of Practice in the UK
b. Telephone marketing
i. Form of digital marketing subject to ePrivacy Directive requirements
ii. Data controllers must satisfy transparency and lawful processing requirement
iii. Consent requirements
1. No express requirement to obtain consent from individuals for person-to-person
direct marketing
2. Directive allows member states to decide whether person to person telephone
marketing should be conducted on an opt-in or opt-out basis
3. Member states permitting telephone marketing on opt-out basis require data
controllers first cleanse their call lists against applicable national opt out registers
4. Member states should ensure that individual have a means by which to opt-out
free of charge from direct marketing
5. Some countries req in each call mention national-opt out register and offer
individual to be registered at once at no charge
iv. Automated calling systems
1. Obtain individual’s prior opt in consent to use calling systems for direct marketing
2. No restriction on using the systems to call target numbers to facilitate live person
to person conversations
3. UK and Poland require identity and contact details of caller to be provided
v. B2B v B2C Telephone marketing
1. Data controllers must have a lawful basis under Regulation to process
employees personal data before instigating B2B telephone marketing to
employees
 2. Restrictions to unsolicited telephone marketing apply to B2C and B2B
Communications
3. If national laws differentiate btn B2B and B2C phone marketing and permit B2B
calls on opt out basis data controllers may be required under national law to
cleanse intended phone marketing contacts against a central opt out register. UK
marketers must cleanse marketing contact lists against Corporate Telephone
Preference Service before making B2B Direct marketing calls
c. Marketing by electronic mail, including email, sms, MMS
i. Form of digital marketing. ePrivacy Directive applies
ii. Electronic mail - text, voice, sound or image message sent over a public communications
network which can be stored in network or in recipient’s terminal equipment until it is
collected by recipient
iii. Technology neutral requirement includes direct marketing by email, SMS, MMS
iv. Consent requirements
1. Prior consent from individuals required to send them marketing by electronic mail
2. This will involve presenting individuals with fair processing notice at time data is
collected asking them to agree to direct marketing by electronic mail
3. Opt-out exception
a. Exemption from strict opt in requirement for direct marketing by
electronic mail to individuals whose details data controller obtained in
context of sale of a product or service (soft-opt in rule) provided
i. Data controller obtained individuals electronic mail contact
details in context of sale of a product or service
1. Austria, Belgium and Denmark require contact details
collected during course of transaction
2. Netherlands and UK apply it to contact details
obtained where no sales were made - presales
communications, registering a website account or
submitting a communication
ii. Data controller sends direct marketing to those individuals
about its own similar products or services
iii. Data controller clearly and distinctly gave those individuals the
opportunity to opt out of marketing by electronic mail that is
simple and free of charge both at the time their details were
initially collected and in each subsequent communication
v. Information requirements
1. Data controllers should provide individuals with valid address for opt-out request
2. Opt out address should be appropriate to the medium by which marketing
communication was sent; email marketing data controllers normally provide an
opt-out email address or an opt-out hypertext link; for SMS or MMS, data
controller must provide a mobile short code to which individuals can send opt-out
request
3. Data controllers
a. Must not conceal identity of sender on whose behalf communication is
made
b. Must ensure that message is clearly identifiable as commercial comm
c. Must ensure that any promotional offers - discounts, premiums, gifts are
clearly identifiable and conditions to qualify them are accessible,
presented clearly and unambiguously
d. Must ensure that any promotional competitions or games if permitted at
all in relevant member state are clearly identifiable and conditions for
participation are easily accessible, presented clearly and
unambiguously
d. Fax marketing
 i. Digital marketing subject to ePrivacy Directive
ii. Data controllers must satisfy transparency and lawful processing requirement
iii. Consent requirements
1. Need prior opt-in consent to send fax marketing
2. Data controllers must send fair processing notice at time individual’s personal
data is collected to ask them to agree to direct fax marketing
iv. B2B vs B2C Fax Marketing
1. Varies among member states similar to direct telephone and electronic mail
marketing
2. Regulation applies when processing employees’ contact details for B2B
marketing
3. Data controllers require lawful basis under Regulation to process employee
personal data before instigating B2B Fax marketing to employees
4. Where B2B fax marketing on opt out basis is required, data controllers may be
required to cleanse intended fax marketing contacts against central opt out
register
a. UK legal requirement for marketers to cleanse marketing contact list
against Fax Preference Service b4 making B2B direct marketing calls
e. Location based marketing
i. Introduction
1. Important for social networking and for marketers to reach audiences
ii. Compliance
1. Regulation applies when location svs involve processing personal data in context
of location based marketing and includes transparency and lawful processing
2. Specific consent and opt out provisions apply when individual’s location data is
processed
iii. Location Data
1. Any data processed in electronic communications network by an electronic
communication service indicating geographic position of the terminal equipment
of user of a publicly available electronic comm svs
2. Includes info about latitude, longitude and direction of travel of individual’s
terminal equipment
3. ePrivacy applies to geographic position of individual’s terminal equipment not
location of a person
iv. Consent requirements
1. Opt in consent required to use location data to provide value added service
2. Includes location based marketing svs and individuals must opt in to receive
location based marketing
a. Exemption: If location data is processed in anonymised form
v. Information requirements
1. Obtaining valid consent requires
a. Information of types of location data to be collected and processed
b. Purposes and duration of processing
c. Whether data will be transmitted to third party for purpose of providing
the value added svs
vi. Withdrawing Consent
1. Individuals should have ability to withdraw consent or opt out to use location data
for location based marketing purposes
2. Opting out should be simple and free of charge and must exist thruout the period
during which individual’s location data is processed
3. Data controllers must offer:
a. Right to opt out of having location data processed for marketing
purposes entirely
 b. Temporary right to opt out of having location data processed for
marketing purpose on each connection to network or for each
transmission of communication
4. Data controllers must process location data to extent and duration necessary to
provide value added service
4. Online behavioural targeting
a. Website advertising that is targeted at individuals based on the observation of their behavior over
time
i. Enables advertisers to deliver advertising that is more relevant to individuals’ likes and
interests and improve effectiveness and click through rate of online advertising
ii. How it Works
1. OBA delivered by website publisher itself (first party advertising)-making pdt
recommendations based on visit to website
2. Third party advertising networks - web publishers turn to TP to serve OBA on
their behalf - concerning cos advertising networks may track individuals’ behavior
across multiple, unaffiliated websites to target their advertising.It works in the
following ways:
a. Advertisers instruct TP ad network to advertise on their behalf
b. Individuals visiting website partnering with ad network will have cookie
placed on individual’s computer. Cookie assigned a unique identifier like
a serial number that is specific to that cookie
c. Ad network records the identifier assigned to that cookie in its database.
May record IP address and type of browser used
d. Information recorded based on individual browsing the website (content
viewed, searches entered, adverts clicked on, products and services
purchased by individual) is recorded against a unique identifier assigned
to individual’s cookie and profile assigned to that identifier
b. OBA and Regulation
i. Personal data includes online identifiers that can lead to identification of individuals
1. Tracking of users of a specific computer even when dynamic addresses are used
2. Tracking that enables users to be singled out
ii. Regulation also mentions profiling - any form of automated processing of personal data
consisting of use of personal data to evaluate personal aspects relating to a natural
person in particular to analyze or predict aspects concerning natural person's’
performance at work, economic situation, health, personal preferences, interests,
reliability, behavior, location or movt
iii. Which entity must take responsibility for complying with the regulation - data controller in a
third party ad network arrangement
1. Ad networks are data controllers because they have complete control over
purposes and means for which website visitor info is processed-they collect info
that browser reveals and build profiles; rent space from publisher websites etc
2. Website publishers joint data controller with ad network based on collaboration
btn network provider where website publishers engage ad networks to serve
OBA through their websites, they owe certain responsibility to website visitors
3. Advertisers may qualify as independent data controllers by clicking on targeted
advert through to the advertiser’s website. The advertiser then monitors
individual’s subsequent browsing activity and combine it with targeting profile
relating to individual
c. OBA and ePrivacy Regulation
i. Applies regardless of whether OBA information is personal data
ii. Focus is on use of cookies and other devices to store or gain access to info on individual’s
computer
iii. BE4 amendment, placement of cookies ok if individuals received info but necessarily in
advance about use of cookies and were allowed the right to refuse them. After
 Amendment, use of cookies to store or access info in an individual’s computer allowed on
condition that
1. individual has given prior informed consent having been given clear and
comprehensive info
2. Consent should be freely given and revocable. Opt out mechanism insufficient
3. Citizens’ Rights Directive Amendment - Consent can be expressed thru use of
browser/application settings where this is technically possible and effective
a. Conflicts with WP29 where they state user not always familiar with
browser setting, use of browser setting insufficient to obtain consent
4. Poland and Italy - strict opt in consent requirement to serve cookies
5. Germany, France and UK- Consent may be given in more implied manner such
as user continuing to use website after having displayed info on cookies served
on it
6. Most member states - consent cannot be inferred from users’ browser settings.
Regulators may accept this if proper info on cookies used was displayed and
user is informed on how it can change cookie consent settings
7. Website with third party cookie should provide info on which cookies belongs to
which third parties and where info on processing by such TP can be found
5. Enforcement
a. Enforcement under the Regulation
i. Fines and administrative sanctions by national data protection authorities and
ii. Civil and in some instances criminal liability
b. Enforcement under ePrivacy Directive
i. Judicial remedies, liabilities and sanction. This varies among member states
ii. Enforcement - consumer protection and telecoms regulators rather than DPA
1. More vigorous enforcement of rules of spam and cookie consent in Netherlands
iii. Amendments to ePrivacy Directive by Citizens’ Right Directive introduced a right for
individuals and biz with legitimate interest in cessation or prohibition of spam to bring a
private right of action against non compliant marketers

D. Internet Technology and Communications

1. Cloud computing
a. Refers to provision of IT services over internet
b. These svs may be provided by a company for it users in private cloud or by third party suppliers
i. Infrastructure as svs (IaaS)
1. Supplier provides remote access to and use of physical computing resources.
User is responsible for implementing both operating platform and all apps
ii. Platform as svs(PaaS)
1. Supplier provides access to and use of operating platforms as well as underlying
hardware; user remains responsible for implementing and maintaining
applications
iii. Software as svs(Saas)
1. Suppliers provides infrastructure, application and platform
c. Common features
i. Cloud service commonly have following features
1. Service infrastructure shared among supplier customers and located in a number
of countries
2. Customer data transferred around infrastructure according to capacity
3. Supplier determines location, security measures and svs standards applicable to
processing
ii. Traditional computing - org operating system, programmes, data stored on
computer/computer servers. Cloud services-programme, systems and data are stored in
number of locations around the world, either managed privately by org for its own users or
thru service provider
d. Applicable law: GDRP Applies where
i. Processing related to activities of EU establishment of controller or
1. Weltimmo: ECJ stated that establishment was based on degree of stability of
arrangements and where there is an effective exercise of activities (includes
minimal activities in EU Member State)
2. Economic link btn non EU data controller processing personal data and EU
based establishment means activities of data controller subject to GDPR
ii. Processing related to offering gds/svs to individuals in EU/ monitoring their behavior even
when controller or processor not in EU
e. Controller or Processor?
i. Controllers/joint controllers have morde data protection obligations than processors
ii. Customer is typically controller and supplier is processor
1. Controller determines substantial and essential elements of processing like data
retention periods
2. A cloud svs supplier processing data for own purposes is a controller
iii. Technical and org means of processing can be delegated to processor
iv. Scope of processing mandated by controller and role of supplier should be included in a
contract
f. Cloud Service Providers
i. If customer of cloud service provider is subject to EU data protection law, obliged to enter
into contract with cloud service provider. Such contract includes
1. Subject matter, duration, nature and purpose of processing as type of personal
data concerned and categories of data subject
2. Personal data processed on documented instructions
3. Individuals processing personal data subject to confidentiality
4. More prescriptive security measures
5. Controllers given notice of sub processors and can object
6. Sub processors have same contractual obligations like processor
7. All personal data deleted/returned after service is completed
8. Make available all necessary info for audits
9. Measures taken to ensure data controller can meet obligations; keep data secure
and notify in event of data breaches, conduct DPIA, consult with regulators
ii. Customer likely to seek
1. Assurance that svs provided will not lead to breach of legal obligation
2. Mitigation of risks from mandatory disclosure req from foreign authorities and
3. Indemnification for any misuse of personal data by supplier
iii. Supplier (processor) should not become processor and under GDPR regulations include:
inform controllers of data breaches, security, info controller if instruction infringes Euro law
g. International Data Transfers
i. Customer as controller responsible for compliance regarding transfer of personal data
ii. Controllers have to show evidence of safeguards for protecting personal data
1. Geographically limiting colod to EEA countries and those deemed to offer
adequate protection; may increase cost and not be feasible
2. Can choose privacy shield scheme; subject to legal challenge though
3. European Commission authorised standard contracts (model clauses) executed
btn suppliers and customers but difficult to construct for multiple parties and
location, need to be updated and inflexible; also subject of legal challenge
4. Tailored data transfer agreements but they are expensive, take time and need to
be approved by regulators
5. Processor BCRs
6. Codes of Conduct and Certification; Cloud Select Industry Group was working on
devt of code of conduct on data protection for cloud svs providers
7. Reliance upon derogation under Art 49 like consent but difficult since consent
has to be specific, freely given, revocable, specific and informed
2. Web cookies
a. Small text file delivered by a website server onto computers of visitors to its website
i. Other technologies like device fingerprinting are alternatives to cookies
b. Cookies and similar technologies
i. Used to tailor website offering and maintain security of individuals while logged in to online
accounts
ii. When a user visits a website, a cookie is sent to users browser by that website or TP with
whom website operator has a relationship. Cookie stores info about user’s visit
iii. When website is revisited by browser, website can retrieve info stored on cookie and react
accordingly like displaying preferred language
iv. Cookies allow a website to remember individual browsers
v. On mobile devices, cookies can only be read by app which set them. Org can’t track users
across different mobile apps. Device fingerprinting involves collecting a large number of
different technical items of info about a device (screen resolution, browser settings,
operating system) to uniquely id it from others
c. Cookies, similar technologies and personal data
i. Cookies identify a unique computer via its browser and track online movt of computer to
form a profile of browsing habits linked to that specific computer and individual
ii. If website operator intends to link a profile created using data obtained from cookies to a
name and email address, profile will be personal data
iii. Regulation: Info that relates to a person with intention of identifying references to an online
identifier is personal data
1. WP29 - Using an individual’s static IP address in order to build a profile of them,
this profile including the IP address is personal data subject to Regulation
2. First party cookies are placed by operator of website visited and enable operator
to advertise its own pdts or tailor its website gathered on info gathered by own
cookies.
a. Website operator is controller of personal data gathered by 1st party
cookies
3. Third party cookies sent by entity other than website operator where the TP
determines the mean and purposes of processing of personal data gathered from
TP cookies, TP is controller must comply with regulation
iv. Pseudonymous data would include profiles that can be connected to an individual even
where the controller does not in fact intend to make this connection
v. UK View: Cookies are linked to device rather than specific person and devices can have
multiple users so info collected cannot be linked to specific user
vi. Vidal-Hall v. Google Inc disagreed: Claimants argued before Eng Court of Appeal that
profiles of browsing habits were personal data that Google use of profiles to target ads
was objectionable because individuals might use device and deduce info about claimant’s
browsing habits from targeted ads
d. Applicable law based on cookies
i. Regulation applies to processing of personal data that related to monitoring behavior of
individuals within EEA. Non EEA websites that set cookies on users’ device to build
customer profiles will be subject to regulation when data it collect is from EEA individuals
e. Cookies and consent
i. Storing of info or gaining access to info already stored in terminal equipment of a
subscriber or user is allowed where user has consented having been provided with clear
and comprehensive info under ePrivacy Directive
ii. Need to obtain prior informed consent of user
1. Info about sending and purposes of cookies must be given to user
2. User having been given info must consent b4 cookies is place on computer or
info stored in computer is retrieved
3. The user must have choice as whether to give consent to use if cookies and
must actively indicate that they do not consent
 iii. Under Recital 66 of Directive 2009/136/EC amending ePrivacy Directive where technically
feasible and possible and in accordance with relevant provisions of data protection law,
user’s consent to processing of cookie data may be expressed by appropriate settings of a
browser or other application
iv. WP2 opinion: Browsers do not normally block cookies by default and average user is not
always familiar with browser settings or implications of those settings, Internet users
cannot be deemed to have consented by using a browser that allows cookies
v. Under WP29, OBA opinion, browser setting may be relied upon to obtain consent if certain
conditions apply
1. Browser settings reject TP cookies by default
2. Internet users given clear comprehensive and fully visible info about use and
purpose of cookies and about any further processing that takes place to enable
users understand where they give consent and what they are consenting to
3. Users take positive steps to accept both setting of cookies and ongoing retrieval
of data from those cookies b4 any such cookies are set or accessed
4. Impossible to bypass choices made by users in browser settings. Deleted
cookies should not be restored
vi. Implementation of revised Article 5(3) varies btn member states. UK guidance
1. Check types of cookies used on websites and how they are used
2. Assess how intrusive the use of cookies is
3. Decide which mechanism is most suitable in order to obtain users’ consent
a. Browser not sophisticated enough to allow website operators to assume
consent has been given, Other mechanisms - pop-ups and website
terms and conditions
vii. Website operators provide full and transparent disclosure about use of cookies and even
consider having a stand alone cookie use policy
1. Spanish regulator - Agencia Espanola de Protection de Datos (AEPD) similar to
ICO and makes it clear that cookie notice should contain info about how to
disable or delete cookies and how to withdraw consent
f. IP addresses
i. String of numbers assigned to a device that help it to identify and communicate with other
devices through the internet. May reveal physical location of device and Internet Service
Provider (ISP)
ii. Device will have static IP address ( device using same IP address) or dynamic IP address
(device receives a different IP address on each start-up); allow numerous device to share
space on a network
g. IP addresses and personal data
i. Can be used to consult user profiles in a similar way to cookies = personal data
ii. Static and dynamic IP addresses personal data in hands of ISP and other org (govt
agencies or private parties)because can be used to link IP addresses to a specific
customer
iii. ECJ case: Breyer v. Germany - Dynamic IP addresses would be personal data in hands of
German state because in event of cyber attacks, German law allowed German state to
obtain additional identification info from ISPs to determine specific individual to whom,
specific IP address related
3. Search engine marketing (SEM)
a. Search engines are svs that find info on the internet. They process large volumes of data including:
i. User IP addresses
1. Where search engine collects IP addresses, it can link them with searches
conducted from that address esp if IP address is static
ii. Cookies
1. Allow more precise user identification (identification based on user account rather
than device associated with IP address for which there may be multiple users).
Used to personalize and improve svs
 iii. User log files
1. Logs of actions taken by users through cookies and IP addresses
a. Query logs - terms searched for, their data and time, cookie identifier,
user preferences and operating system info), content (including
advertisements) offered and info on users’ subsequent navigation
iv. Third party web pages
1. Processing data including personal data contained on those third party web
pages to return relevant info to the user
b. Search engines as Controllers
i. Search engines determine the purpose and means of processing data about users (user
log) and are controllers
ii. Google v. Spain: ECJ ruled that search engines are also controllers of the personal data
contained in third party web pages- Search engine plays a decisive role in overall
dissemination of personal data-third party web pages -makes a search on basis of data
subject name and liable to affect significantly and privacy rights of individuals
c. Applicable law
i. If search engine is established in EEA, Regulation applies
ii. Search engines headquartered outside EEA but offer their svs to individuals inside EEA.
Processing about such individuals in order to offer svs subject to Regulation
iii. User logs subject to Regulation as creation of user log files is monitoring individuals’
behavior
iv. Google v. ECJ: Search engines outside EEA are subject to regulation in respect of their
processing of personal data contained in third party web pages if they have an EU
establishment whose activities are economically linked to the search engine’s core
activities
1. Google Inc processing of personal data to operate search engine biz was subject
to European Data Protection Law because processing was carried out in the
context of activities of Google Spain, which promoted and sold advertising space
for Google Inc search engine
d. Data Protection Issues
i. Data retention: Limit retention periods to 6 months; delete or irreversibly made anonymous
once grounds for retaining personal data no longer exist
ii. Correlation and further processing for different purposes
1. Search engines use personal data in provision of services to profile users and
personalizing search results
2. Need for lawful processing and consent where search engines offer svs like
webmail and personalized search fx and user data is often correlated across a
number of svs and platform
iii. Compliance with data subject rights
1. Applicable to registered users of search engine and unregistered users (who may
be identified from their IP address or via cookies or similar technologies)
2. Data from third party web searches is cached by a search engine operator-
individuals can exercise correction or deletion regarding cached personal data
and right to be forgotten
4. Social networking services
a. Social Networking Site (SNS)Online site designed to support social groups and build social
relations among individuals who share interests and activities
b. SNSes and others as controllers
i. SNSes are controllers where they provide online comm platforms that enable the
publication and exchange of info and determine use of personal data for advertising
purposes
ii. Authors of applications designed to run SNSes providing svs in addition to those provided
by SNS are controllers of users’ personal data
 1. Regarding third party app provides, apps should comply with info provision and
limiting data collection to that which is strictly necessary for provision of the
application
iii. SNSes users uploading personal data whether their own or TP will be exempt from
regulation so long data is used for personal or household reasons
1. Household exemption inapplicable where:
a. SNS is used as platform by an org and individual using SNS is acting on
behalf of org. SNS users adding personal data relating to TP to SNS are
controllers of data and making disclosure: subject to Regulation (data
security and retention, purpose limitation and data subjects rights)
b. Where a user knowingly extends access to personal data beyond
selected contacts. Individual posting personal data is controller.
2. Exemption applies where use of personal data is for journalistic, artistic or literary
purposes
c. Information provision obligations
i. SNS provider should be open and transparent and give users the following info
1. Where relevant, notice that personal data will be used for marketing purposes
and existence of right to opt out
2. Notice that personal data will be shared with specified third parties
3. Explanation of any profiling
4. Info about processing of sensitive personal data
5. Warnings about risk to privacy both to user uploading material and any TP about
whom personal data is processed
6. Warning that if individual uploads a third party’s personal data like photographs,
consent of TP should be obtained
d. Sensitive personal data
i. Unless data subject has published info themselves, explicit consent of data subject is
required to make sensitive personal data available on the Internet
ii. Where SNS requests info that would result in disclosure of sensitive personal data,
providing such info is entirely voluntary
iii. Photographs may reveal sensitive personal data if specifically intended to reveal such
data - subject to GDPR
e. Third party personal data
i. SNSes allow users to post info about third parties including SNS non-user - need lawful
basis for processing
ii. Personal data about TP obtained from non users and aggregated to form prebuilt profiles
of individuals who are not members of SNS lack legal basis under Eu data protection law
f. Children’s data
i. Where individuals is under 16 yr and age is being processed on basis of consent, consent
must be given or authorized by parent
ii. Member states are free to lower this age limit to 13 years
iii. Controllers need to have best interest of child as set out in UN Convention on Rts of child
iv. Processing of minors’ data should be lawful and fair
1. Do not request sensitive data
2. Default privacy friendly settings are adopted
3. Minors are not targeted with direct marketing material
4. Parental prior consent is obtained
5. Applications on mobile devices
a. Data Collection
i. Apps collect a lot of data through sensors of mobile device they are installed on
ii. They are also able to access info stored on the mobile device including contact details,
emails, photographs, internet browsing history
 iii. This info can be used to offer innovative svs to users but can also be sent back to app
developer and associated with a particular device (through a unique identifier or IP
address)
iv. Less likely to be shared by multiple users unlike desktop and laptop computers
v. Provide more detailed insight into owner’s lives in comparison to other types of internet
enabled device
b. Applicable Law
i. Where info collected through apps can be linked to specific device, it is personal data and
Regulation applies
c. Controllers and Processors
i. Collecting personal data and sending it to app developer servers, app developer controller
since they decide what is collected and how it is used
ii. Where personal data is processed on users’ mobile device and not sent to app developer
controller then app owner not data controller
iii. Where multiple parties act on behalf of app owner (hosting and analytic providers) they
are likely to be data processors
iv. App stores, operating systems and device manufactures may also be data controllers if
they process data connected to users’ interactions with app (if app store logs the apps
downloaded by a user)
d. Cookies and Similar Technologies
i. If an app uses cookies or similar technologies, it will be subject to consent requirement
ii. Limitation: Cookies can be only read from within app which has sent them
1. Individuals increasingly use different apps to perform different online activities
hindering advertisers ability to use cookies to track them
iii. New methods of tracking individuals across apps which require prior consent
1. Accessing info stored on users’ devices - Unique ID such as media access
control (MAC) Address
2. Device fingerprinting - large number of info points which in combination are
unique to a particular user
3. Where app wishes to access contact details, photos or other media stored in a
user’s device, prior consent is required
e. Notice
i. Need to inform users adequately how info will be used but this is quite difficult due to
limited screen space available on mobile devices in comparison to laptops and desktops
ii. Use of icons and visual signifiers proposed by WP29
iii. Layered notices with most important info and links to more complete info
iv. Notice will need to be provided before app is downloaded thru privacy policy on app page
f. Consent
i. Downloading an app onto users’ device entails storing info on devices requiring consent
under ePrivacy Directive
ii. Consent req as lawful ground for processing data since intimate nature of location data
collected will disqualify legitimate interest as basis for collection
iii. Consent not essential for providing app functionality is not valid
iv. Consent has to be specific rather than getting single consent for all types of processing
v. If no consent, apps should have functionality for users; if user refuses permission to
access their location data to display directions, they should be able to manually view info
g. Data minimisation
i. Personal data should be adequate, relevant and limited to what is necessary in relation to
purpose for which they are processed
ii. Reinforced by regulations data protection by default requirement- only personal data
necessary for each specific processing purpose is collected and used
6. Internet of things
a. Introduction
 i. Refers to internet enabled objects which can communicate directly with other internet
enabled objects with no human assistance
ii. Such objects have sensors to collect and transmit info about their environment
1. Include wearable technology, smart energy meters and home appliances and
connected vehicles)
iii. Sensors in such objects frequently collect info that relates to identifiable individuals
1. Personal data subject to GDP
b. Controllers and Processors
i. Similar in respect of internet enabled mobile devices
c. Security
i. Challenging since
1. Large number of objects are connected to same network providing a large
number of points thru which malicious actors can gain access
2. Software on Internet enabled objects less likely to be kept up to date with latest
security patches
ii. IOT should be designed with security in mind from beginning/ data protection by design
d. Notice and Choice
i. No human interaction therefore difficult
ii. Because of intrusiveness of IoT, consent is appropriate legal ground on which to base
processing; difficult cos no human intervention
iii. Need for innovative approaches
1. Stickers notifying individuals that their info is being collected together with info on
how and where data subjects can find further info or having objects wirelessly
broadcasts the relevant info such that it appears on mobile device when they are
nearby
2. Regarding consent, WP29 has stated that it is necessary for device
manufacturers to build consent mechanisms into the devices
3. Data Protection Impact Mechanism and Data Protection by Design should assist
org in devising and implementing solutions at early stage of devt
7. Outsourcing
a. Introduction
i. Rapid progress in electronic data processing and appearance of mainframe computers
allowed public admins and large enterprises to set up extensive data banks and improve
and increase collection, processing and sharing of personal data
ii. Service bureaux or computer bureaux emerged to cater to computing needs of org without
their own data processing capabilities
iii. Data controller retains obligation to be accountable even when data processing is carried
out by another party - service bureaux
b. Role of parties
i. Controller and processors (both have obligations under GDPR)
1. Controller responsible for complying with relevant data protection obligations
under the law
2. They should also ensure that a written contract governing relationship with
processor and processor complies with data protection obligations in contract
ii. Customers as controllers and suppliers as processors
1. Customer exercises a dominant role in determining purposes and means of the
processing
2. Processing carried out by processor should be governed by a contract or legal
act binding processor to controller and stipulating detailed requirements
3. Contractual provisions
a. Where processor not established in EU, processor must designated rep
in EU unless processing is occasional, does not include large scale
processing of special categories of data or personal data relating to
 criminal convictions or offences, unlikely to result in risk to rights and
freedoms of individuals
b. Processor not to engage another processor without prior specific or
general written authorization of controller
c. Processing on behalf of controller governed by written contract or legal
act binding on processor with regard to controller
d. When a processor engages sub processor, same data protections set
out in contract must be imposed by contract on sub-processor
e. A processor/subprocessor is to process personal data on instructions
from controller or under EU/member state law
f. Processor or rep must maintain written record of all categories of
personal data processing activities carried out on behalf of controller
g. Processor/ rep must cooperate with data protection supervisory
authority
h. Processor required to implement appropriate technical and org security
measures relative to risks that arise from processing to ensure personal
data is protected
i. Processor must notify controller without undue delay after becoming
aware of a personal data breach
j. Processor required to designate DPO where core activities consisting of
processing ops that require regular and systematic monitoring of
individuals on a large scale or core activities involve processing of
sensitive data or data on criminal convictions on large scale. Publish
DPO contact details and comm them to DPA
k. DPO must be involved in all issues related to protection of personal data
and provide necessary support to DPO. Must be independant and other
tasks performed should not result in conflict of interest
l. Processors must comply with conditions set out in gdpr
m. Where data transfer takes place based on compelling legitimate
interests of the controller, assess circumstances and adopt suitable
safeguards to protect data transferred and document assessment
iii. Suppliers as controllers
1. Only when the decisions made exceed scope of contract by determining the
purposes or essential means of processing
iv. Chains of processors and sub-processors
1. Outsourcing not limited to two parties:
2. Involves following arrangement:
a. With a corporate group, operating companies in different jurisdictions
rely on a procurement entity within that group of companies to procure
data processing svs
b. Procurement entity appoints particular supplier as prime contractor for
relevant data processing svs
c. Supplier than subcontracts some of the svs to other entities within its
group of companies or externally to TP
c. Data protection obligations in an outsourcing contract
i. Acting under controller’s documented instructions
1. Outsourcing contract involving processing of personal data should establish who
is in control
2. Contract should include a provision that supplier will process relevant personal
data on documented instructions from customer. May be generic but more
specific the easier it will be for customer to show that it is the data controller
3. Provision regarding international transfers of personal data unless EU or member
state law requires otherwise so processor will need to inform controller of the
requirement before processing
 ii. Implementing appropriate technical and organization measures
1. Controllers should rely on suppliers’ expertise to decide security measure to be
adopted and require supplier to acknowledge
a. That customer is relying upon supplier’s skill and knowledge to assess
what is appropriate to protect personal data against unauthorized or
unlawful processing and against accidental loss, destruction, damage,
alteration or disclosure and
b. Measures adopted must be appropriate to harm and nature of personal
data to be protected
2. Supplier should also consider
a. Sensitive nature of personal data and substantial harm that would result
b. State of technological devt and cost of implementing such measures
iii. Employee vetting
1. Supplier should
a. Ensure reliability of any employees and subcontractor personnel who
have access to customer personal data
b. Employees and subcontractor personnel involved in processing of
personal data should undergo adequate training
c. Employees and subcontractor should perform duties strictly in
compliance with applicable confidentiality provisions under contract by
treating customer personal data as confidential info
iv. Other data protection obligations
1. Supplier should comply with obligations imposed on processor regarding
appointment of other processors
2. Assist controller by implementing appropriate technical and org measures
3. Assit controller in ensuring compliance regarding data security, breach
notification, impact assessment, prior consultation with DPA
4. At choice of controller, delete or return all personal data to controller after end of
provision of svs; delete copies unless EU law requires storage of personal data
5. Allow for and contribute to audits by controller/auditor appointed by controller
v. Subcontracting
1. Chain of processors and sub-processors regarding the outsourcing then
outsourcing contract should include the following:
a. Customer must provide specific or general written authorization to
processor regarding engagement of sub-processor
b. Processor must inform controller of any intended changes that concern
the addition or replacement of other sub-processors; controller can
object
c. Processor has obligation to impose contractual obligations applicable to
it to any sub-processors
d. Main supplier must remain liable to customer for any breach of sub-
processor
d. German case
i. German Data Protection legislation (BDSG)amended in July 2009 after Deutsche Telekom
lost personal data for about 17 mil T mobile German customers when storage device with
that info was stolen
ii. Unlike previous law, specific terms were established when entering into a contract
1. Subject and duration of work to be carried out
2. Extent, type, purpose of intended collection, processing/use of data, type of data
and category of data subjects
3. Technical and org measures to be undertaken
4. Rectification, erasure and blocking of data
5. Processors’ obligation in particular monitoring
6. Any right to issue subcontracts
 7. Controllers’ rights to monitor and processor’s obligations to cooperate with
controller
8. Extent of controller’s authority to issue instructions to processor
9. Return of data storage media and erasure of data recorded by processor after
work has been carried out
10. Violations by processor or its employees of provisions to protect personal data or
terms specified by controller that are subject to obligation to notify
11. Data controller has to verify and be satisfied with technical and organizational
processors implemented by data processor before data processing begins.
a. Verification to be repeated periodically after
b. Result of verification should be documented
12. Breach of Section 11 BDSG
a. Regulatory offence leading to administrative fines up to 50,000 Euros
b. Also a deduction of profits that a party may have had due to breach
c. Fine is issued to anyone who
i. Does not enter into controller/processor agreement correctly,
completely or in prescribed way
ii. Does not verify that data processor’s technical and org
processors are in place before data processing begins
13. BDSG does not grandfather existing agreements pre-2009; will need to be
revised
iii. Effect of data processor’s location
1. BDSG applies to any data processor in Germany or within EU processing
personal data on behalf of German data controller
2. Unclear whether it applies to data processors outside EU or EEA subject to
standard model contractual clauses approved by EU Commission
a. BDSG ignored regarding transfers to data processors located outside
the EEA. Should not be included as attachments to standard model
clauses
e. Offshoring and international data transfers
i. Transfer of personal data to country outside EEA unless country has adequate level of
protection is difficult for EU Customers wishing to engage a supplier or chain of suppliers
based overseas
ii. Legitimizing transfer of personal data overseas
1. Privacy shield
a. Currently subject to adequacy decision by EU Commission
b. Transfers of personal data by EU customers to Privacy Shield
signatories providing data processing svs should be lawful
c. EU controllers rely on this mechanism if US data importers should
include data processing activities carried out on behalf of customers
within scope of Privacy Shield certification
2. Standard contractual clauses
a. Parties in outsourcing relationship involving data transfers outside EEA
may provide appropriate safeguards to legitimise such transfer by
entering into agreement containing updated controller to processor
clauses
b. Updated clauses have strict rules regarding processor ability to
subcontract its svs. Step by step subcontracting process is so
cumbersome for global outsourcing service providers
3. Alternative contractual mechanisms
a. Tailored ad hoc data processing and transfer agreement
b. Parties negotiate data protection provisions of the international data
processing agreement and rely on own judgment to procure an
adequate level of protection
 c. May be entered into by exporting controller or processor and recipient of
personal data in the third country
i. Alternative contractual mechanism can be suitable for
processor to processor data transfers (where EU based
controller engages EU based processor who transfers data to
non EU sub processor)
d. Success of this approach will depend on willingness of DPA to approve
different versions of the alternative contractual mechanisms
4. Binding Corporate Rules for Processors
a. Original BCR model has applied to cases where companies are
controller of personal data they process and not to processors
i. GDPR extends the BRC concept to processors
b. Processor BCR can be tailored to data protection svs of service provider
so long as they include appropriate adequacy standards unlike standard
contractual provisions approved by Commission
c. Standards required under Processor BCR mirror those of BCR but
adapted to their role as data processors
d. Individual data subjects - Additional layer of protection since the
Processor BCR will include a direct redress route to data processor for
breaches of safeguards provided by Processor BRC