Profiling means automated processing of personal data consisting of use of personal data to

evaluate certain personal aspects of a natural person- performance at work, economic situation,
health personal preferences, reliability, behaviour, location, movements.

Consent- freely given, specific, informed and unambiguous.

Personal data breach- breach of security leading to accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise
processed.

Biometric data- personal data resulting from specific technical processing relating to the physical,
physiological, or behavioural characteristics of a natural person, which allows or confirms the unique
identification of that person, such as facial images or dactlyoscopic data.

Article 3 Territorial scope

- establishment of a controller or a processor in the Union, regardless of where processing

takes place
- C or P not established in Union, but processing involves-
 Offering of goods and services to the data subjects in the Union, irrespective
of payment
 Monitoring their behaviour,
- Not established in Union, but member state law applies by virtue of PIL.

Article 5- 11 Principles

Article 5- Principles relating to processing of personal data

a) Lawfulness, fairness and transparency

b) Purpose limitation. Specified, explicit and legitimate
c) Data minimisation. Adequate, relevant and limited to what is necessary in relation to
purpose.
d) Accuracy. Accurate, up to date, inaccurate in relation to purpose to be erased or rectified
without delay.
e) Storage limitation. Kept in a form which permits identification of data subjects for no longer
than necessary
f) Integrity and confidentiality- protection against unauthorised or unlawful processing, and
against accidental, loss, destruction or damage, using appropriate technical and
organisational measures (talks about processing not disclosure and access)
g) Accountability-

e) may be stored for longer period if data will be processed for archiving purposes in public interest,
scientific or historical research and statistical purposes, subject to implementation of appropriate
technical and organisational measures in order to safeguard rights and freedoms of data subject.

Article 6 Lawfulness of processing

a) Consent for a specified purpose

b) Necessary for performance of a contract or in order to take steps at the request of data
subject prior to entering of a contract
c) Compliance with legal obligation on controller
d) Necessary to protect vital interests
e) Performance of a task in public interest or exercise of official authority vested in controller
 f) Legitimate interest of controller or third party. Exception- legitimate interests overridden by
the interests or fundamental rights and freedom of data subject, eg. child
 Exception does not apply for public authorities for performance of their tasks

6 (4)- where processing is done for a purpose other than for which personal data is collected, and it
is not based upon consent or on a Union or member state law, which constitutes a necessary and
appropriate measure in a democratic society to safeguard the objectives under Art. 23
RESTRICTIONS (no rights for data subject) (national security, public security, defence, criminal
offences, general public interest, judicial independence, prosecution of breaches of ethics,
protection of data subjects, rights of freedom of others, protection of civil law claims, for
determining whether processing is compatible with the purpose or not, shall take into account the
following factors-

- Link between initial purpose and intended further processing

- Context, relationship between data subject and controller
- Nature of personal data, whether special categories () and criminal conviction offences
processed
- Possible consequences on data subjects
- Existence of possible safeguards

Article 7 Conditions for consent

1. Controller should be able to demonstrate consent

2. Consent should be clearly distinguishable from the other matters, in an intelligible and easily
accessible form, using clear and plain language
3. Right to withdraw consent at any time
4. Whether consent is freely given or not- performance of contract conditional on consent to
processing of personal data, that is not necessary for performance of contract

Article 8 Child’s consent in relation to information society services

16 years or above or parental consent

Article 9 Processing of special categories of personal data

Racial, ethnicity, political opinions, trade union memberships, processing of genetic, biometric data
for uniquely identifying a person, health, sex life, sexual orientation

Exceptions-

a) Data subject has given explicit consent, unless law provides that prohibition can’t be lifted
b) Processing for carrying our obligation or exercising specific rights of Controller or of data
subject in the field of employment, social security, social protection law, as far as
authorised by Union or member state law providing appropriate safeguards for fundamental
rights and interests of data subject.
c) Vital interest of data subject or any other person who is physically or legally incapable of
giving consent
d) Carried out in course of legitimate activities by a foundation, association, not for profit
organisation with political, philosophical, religious, trade union aim on the condition that
processing relates to members or former members and personal data not disclosed outside
the body without the consent of data subject.
e) Processing relates to data made public by data subject
 f) Legal claims, judicial proceedings
g) Substantial public interest on the basis of union or member state law
h) *Preventive or occupational medicine for the assessment of the working capacity of the
employee, medical diagnosis, the provision of health or social care or treatment or the
management of health or social care systems and services on the basis of Union or Member
State law or pursuant to contract with a health professional
i) public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of quality and safety of health care and of
medicinal products or medical devices
j) archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes
 by professional under the obligation of professional secrecy

Article 10 Processing of personal data relating to criminal convictions and offences

Article 11 Processing which does not require identification

Where controller is able to demonstrate that he is not in a position to identify the data subject,
Article 15 to 20 (15- access; 16- rectification; 17- erasure; 18- restriction on processing; 19-
notification obligation; 20- data portability) does not apply unless data subject provides additional
information enabling his/her identification.

Article 12- 23 Rights of the data subject

Article 12- Information communication to data subjects

1. concise, transparent, intelligible and easily accessible form, using clear and plain language
3. within one month, further extendable by 2 months in cases of complexity, has to given
reason
4. free of charge; if request manifestly unfounded or excessive can charge a fees or refuse.

Article 13/14- information to be given when personal data is collected from the data subject/other
than data subject

1. controller’s identity
- contact details of DPO
- purpose of processing, legal basis of processing
- legitimate interest pursued by controller
- information on international transfer of personal data
- categories of personal data concerned
- recipients

2. Further information to ensure fairness and transparency

- Period for which personal data will be stored
- Rights of data subject
- Right to withdraw the consent at any time
- Right to lodge a complaint with supervisory authority
- Whether provision of personal data is a statutory or contractual requirement, necessary to
enter into contract, consequences of failure to provide
 - Existence of automated decision making including profiling, logic involved, consequences of
processing
- Source from which public data originates/ publicly accessible source

3. Information about purpose other than for which personal data is collected

The controller shall provide the information referred to in paragraphs 1 and 2:

1. within at the latest within one month

2. if the personal data are to be used for communication with the data subject, at the latest at the
time of the first communication to that data subject; or

3. if a disclosure to another recipient is envisaged, at the latest when the personal data are first
disclosed.

Exceptions-

Paragraphs 1 to 4 shall not apply where and insofar as:

1. the data subject already has the information;

2. the provision of such information proves impossible or would involve a disproportionate effort,
in particular for processing for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes, subject to the conditions and safeguards referred to
in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to
render impossible or seriously impair the achievement of the objectives of that processing. In
such cases the controller shall take appropriate measures to protect the data subject’s rights
and freedoms and legitimate interests, including making the information publicly available;

3. obtaining or disclosure is expressly laid down by Union or Member State law to which the
controller is subject and which provides appropriate measures to protect the data subject’s
legitimate interests; or

4. where the personal data must remain confidential subject to an obligation of professional
secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.

Article 15- right to access

Right to obtain a copy but it shall not adversely affect the rights and freedoms of others. Controller
may take administrative cost

Article 16- right to rectification

Rectification of inaccurate data without undue delay. Compete incomplete information

Article 17- right to be forgotten

Right to erasure without undue delay.

1.- No longer necessary for purpose

 - Withdraws consent provided under Art 6 (lawful processing), Art 9 (2) (special categories
exceptions to prohibition), and there is no other legal ground of processing
- Objects under 21 (1) (right to object to the processing under Art 6 (1) e (public interest) f
(legitimate interest), including profiling; and under 21 (2) (direct marketing including
profiling)
- Unlawfully processed
- In compliance with legal obligation
- Personal data collected in relation to offer of information society for children (Article 8 (1))

Exceptions- Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

- for exercising the right of freedom of expression and information;

- for compliance with a legal obligation or for the performance of a task carried out in the
public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with points (h) and (i)
of Article 9(2) as well as Article 9(3) (exception to prohibitions for special category data);
- for archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes in accordance with Article 89(1) in so far as the right referred to in
paragraph 1 is likely to render impossible or seriously impair the achievement of the
objectives of that processing; or
- for the establishment, exercise or defence of legal claims.

Article 18- right to restriction on processing

1. accuracy contested by data subject

- processing unlawful
- controller no longer needs the data, but required by data subject for defence of legal claims
- data subject has objected to processing under Article 21, pending verification

2. where processing is restricted, personal data can be stored, but can only be processed with
consent, defence of legal claims, for protection of rights of other person, public interest

3. inform data subject before restriction is lifted

Article 20- right to data portability

Right to receive personal data in a structed, commonly used and machine readable format, and to
transmit it to other controller-

- where processing based upon consent under Art 6 (1) (a) (consent for a specific purpose)
and 6 (1) (b) (performance of contract, or on request of data subject)
- processing carried out by automated means

Exceptions- public interest, official authority, adverse effect on rights and freedom of others

Article 21 right to object

Objects under 21 (1) (right to object to the processing under Art 6 (1) e (public interest) f (legitimate
interest), including profiling; and under 21 (2) (direct marketing including profiling)
Where data subject objects to processing for direct marketing purposes, personal data shall no
longer be processed

Rights under 21 (1) and 21 (2) to be clearly brought to the notice of data subject, at the time of first
communication.

Where personal data is processed for scientific or historical research purpose or historical purpose,
data subject has a right to object processing of personal data, unless processing is necessary in
public interest.

Article 22 automated individual decision making, including profiling

Right not to be subject to a decision based on automated processing, including profiling, which
produces legal effects or significantly effects him/her.

Exceptions- data subject has no such right, if the decision is

a) necessary for performance of contract

b) authorised by union or member state law to which controller is subject, and which provides
suitable measures to safeguard data subject’s rights and freedoms and legitimate interests
c) explicit consent

except where decision is based on special categories of personal data under Article 9, unless there is
explicit consent or in public interest.

Article 23 restrictions

Union and member state laws to which data controller or processor is a subject, may restrict by way
of legislative measure scope of rights provided under Art. 12-22 (rights of data subject), Art. 34
(communication of data breach), Art. 5 (principles relating to processing of personal data) in so far as
it relates to Art. 12- 22-, when such a restriction is necessary and proportionate measure in a
democratic society to safeguard-

National security, defence, public security

Criminal offences, threat to public security

General public interest (monetary, taxation, health, social security)

Judicial proceedings

Breaches of ethics for regulated professions

Protection of data subject or rights and freedom of others

Enforcement of civil claims

CHAPTER 4

DATA CONCEPTS

Personal data-

Any information-
About a person, objective, subjective, need not be true, any activity in professional or public sphere,
online identifiers, cookie, RFID, which may be used to create a person’s profile and identify them,
available in any form, processed by automated means, includes manual means if “for a part of filing
system”.

Relating to-

Information must be about an individual, but information that relate to objects, processes or events
may constitute personal data under certain circumstances e.g. value of car for determining tax,
technical information about car (mileage) if processed by garage for issuing bill. Whether personal
data relates to an individual – i) content (result of a student)- individual; ii) purpose (for evaluation);
result (processing that has impact on individual’s rights and interests).

Identified or identifiable-

Person has not been identified but possible to do so. E.g. IP address information combined with
other pieces of information will allow the individual to be distinguished from others. Example- web
surveillance tool identifies behaviour of a machine- individual behind the machine- individuals’
personality- attribute decisions to him or her.

Whether a person is identifiable or not- take into account “all means reasonably likely to be used”
“possibility of singling out”, cost, time, technology used etc.

CCTV

information must be treated as personal data as fundamental purpose of the processing is to single
out and identify individual.

Dynamic IP address is considered as personal data if third party (ISP) holds information likely to be
used to identify the website user when put together with dynamic IP address.

Regulation does not apply to anonymous data, but complete anonymysation is difficult.

Pseudonymization- processing of personal data in such a manner that it is no longer be attributed to

specific data subject, without the use of additional information. Such additional information is kept
separate and subject to technical and organisational measures to ensure that personal data is not
attributed to identified or indentifiable natural person.

Replacing identifiers with a reference, if the business is interested in knowing the pattern of a
trypical customer but is not interested in the identity of the individual.

Pseudonymisation is considered as an important safeguard to achieve data minimisation, and

compatibility of new purpose with the original purpose.

Aggregation of data for statistical purpose is likely to result in non-personal data but not if samples
size is small.

Natural person-

Regulation applies to natural person. Regulation does not apply to personal data of deceased person
and organisational data which may be protected through standard contractual clauses.

Sensitive personal data-

Personal data related to physical or mental health of a natural person. Information collected during
registration, a number, symbol assigned to a natural person uniquely identifying that person,
information derived from testing.

Processing of photographs should not be considered processing of special category data as they are
covered by biometric data only when “they are processed through a specific technical means
allowing the unique identification of a natural person”.

Controller and Processor

Controller determines the purpose and means of processing. Most of the responsibilities for
compliance are on Controller.

Processor has limited obligations, e.g. record keeping, international data transfers comply with the
regulation, having appropriate security measures in place, notifying controller if there is a data
breach.

Processor is required by the contract to process personal data only on the documented instructions
of the controller.

Processor processes the data on behalf of the controller.

Controller determines who shall be responsible for compliance and how individuals can exercise
their rights.

Joint controllers, example- shared website of travel agent, hotel and airlines, booking done with
shared database and carry out integrated marketing activities.

Example- parent company with centralised IT services to its subsidiaries. Each subsidiary remains a
controller for the data held for its own purpose. If parent company conducts independent
operations, for example, to compare rate of employee turnover, it may become a joint-controller
with the subsidiaries.

In complex environments, responsibilities should be clearly allocated.

If the processor determines the purpose and means of processing, then processor becomes the
controller (Art. 28 (10)). Example- pension scheme administrator uses data to market financial
product.

Identifying the source of control- controller appointed under law, control stems from practice or law
(employer-employee relationship), factual (degree of actual control and impression given to the
individuals and the reasonable expectations of the individuals based upon the visibility)

Determining why and how of processing? Means not only include technical means but also questions
like which data is processed, who has access to data, when it will be deleted, does the cloud based
database provider use data for any other purpose. Controller may delete decisions relating to
technical and organisational aspects of processing.

The contract between C and P must set out nature and purpose of data processing, type of data,
categories of data subjects.

Processor to process data only on documented instructions of Controller, processor to ensure that
people authorised to process the data have committed themselves to confidentiality, take all
measures for security of processing, assist controllers in complying with their obligation to respond
to data subjects requests, , assist controller in obligations under Art. 32-36 (security, DPIA and
breach notification), return/ del all data to controller on termination, contribute to audits,
inspections.

Sub-contracting- (Art 28)

Require prior authorisation of controller, identical contract between processor and sub-processors,
processor liable to controller for performance of sub-processors.

Factors to determine the role of controller and data processor

level of prior instructions by controller; monitoring by controller, visibility portrayed by controller to

individuals, expertise of parties.

Regulation does not apply to deceased person.

Chapter 10

Security of personal data

Article 32- Controllers and processors must implement “appropriate technical and organisation
measures” for security.

Article 32 (1) (a)- encryption, pseudonymisation as controls that must be considered by C and P.

Article 32 (1) (b, c, d)- maintaining confidentiality, integrity, availability and resilience, based upon
consensus of professional opinion.

Article 32 (3)- certification mechanism and code of conduct.

Article 32 (4)- obligation of confidentiality on the employees of C and P.

Data protection by design and by default

Art 5 (1) (f)- integrity and confidentiality during processing of data; Art 32 “appropriate tech and org
measures” directed to controllers and processors.

Art 5 (2)- accountability + Art 24 places obligations to prove compliance.

Art 28- similar compliance obligations to processors through contract. Sufficient guarantee- proof of
processor’s competence, through for example, third party assessment or certification, audits,
assurance must reflect consensus of professional opinion.

Art 28 (10)- processors becomes controller when it steps outside the boundaries.

Art 30 requires C and P to maintain record of processing activities

Art 33-34- breach notification requirement to DPAs and in certain cases to people impacted. Literal
requirement to notify when the controller becomes aware of the breach. In practice, controller have
to put in place breach detection measures.

Art 33 (2)- processors to notify controller of data breaches without undue delay.
Art 33 (5)-keeping of records of breaches.

Art 34- communicating breaches to data subjects when breaches are likely to present high risks to
the rights and freedoms of individuals. No need to communicate to data subjects if data rendered
unintelligible by encryption, measures taken to mitigate high risk from materialising, by, for
example, incident response strategy, disclosure would involve disproportionate efforts. High risk can
be seen in context of impact to a large number of data subjects or large amount of damage to
certain individual.

Art 25- protection by design and default

Art 35- DPIA and prior consultation requirement

Security of processing

Art 32- “appropriate”- law does not require absolute security. We can not assume legal failure from
operational failure.

Risk based approach- Art 25 and Art 35. Nature of data, reasonably foreseeable threats and technical
vulnerabilities. State of art test and requirement of cost. Consensus of professional opinion e.g.
encryption.

A controller that rules out a particular control on account of cost alone may not be seen favourably if
that amounts to rejection of consensus of professional opinion or ability to make financial
investment.

Personal data breach definition needs to consist of actual breach, whereas Art 5 (f) integrity and
confidentiality principle also seeks to prevent risks.

Detection (definition of PDB), classification (likely to cause risk to rights and freedoms of individuals,
notification to DPA within 72 hours. Requirement of an incident response strategy.

Risk assessment-

Performing threat vulnerability assessment, security maturity assessment, management of security,

human factors, physical environment, cyber and tech environment, policy, control, business
processes framework, incident detection and response.

The security paperwork

Important during litigations (discovery and disclosure), contractual due diligence.

Policy based regulation and operational regulation.

Layered approach to creation of paper work- top layer- policy statements; middle layer-controls
implemented to achieve policy statements; third layer- operating processes and procedures.

Employing security tech to filter e-comm and monitoring use of IT and communication systems.
Need to engage work councils before deploying such technologies. Ethical hacking, pen testing,
testing of coding security.

Transfer of personal data outside EEA

Conditions-

1. third country ensures adequate level of protection for personal data as determined by the
commission (Andorra, Argentina, Canada (commercial organisations), Faroe Islands,
Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay.)
2. in absence of adequate level of protection C or P provide appropriate safeguards
3. transfer fits into one of the derogations covered by regulation

Transfer involves processing in the third country. Examples- i) routing of packet switch technology,
email, webpages, involving random transfer of personal data b/w computer servers located
anywhere in the world; ii) e-access by travellers who happen to be at a particular location for a short
period of time which does not afford adequate level of protection.

International exchange of information about individual with the intention of automatically

processing the information after it has been exchanged. Example- someone in EU provide info over
phone to a person in third country who then enters information in computer.

Art. 45- third country decided adequate by commission or international organisation ensures
adequate level of protection. Factors- rule of law, respect for human/ fundamental rights, national
security, defence, implementation of legislation, data protection rules, enforcement, ; existence of
independent supervisory authority; international commitments.

Commission decision regarding adequacy by implementing Act.

Safe harbour mechanism as a self-regulatory framework. Drawbacks- participants did not perform
annual compliance checks, lack of active enforcement by FTC.

2. Providing appropriate safeguards to data subjects

- A legally binding and enforceable instrument between public authorities or bodies

- BCR (Art 47)
- Standard data protection contractual clauses adopted by the commission
- SCC adopted by supervisory authority and approved by commission
- Approved code of conduct (Art 40) along with commitments of C and P, in third countries, to
apply appropriate safeguards
- Approved certification mechanism (Art 42)
- Contractual clauses b/w C or P, and the C, P or recipient of personal data in third country

The contractual route-

Commission approved model contracts

2001 C to C clauses

2004 alternative C to C clauses

2010 C to P clauses

DPA adopt SCC themselves or authorise transfers based upon ad-hoc contacts presented to
them by the parties

Microsoft amazon google, obtain approval of DPAs for their own version of agreements.
BCR for intra-organisation transfer of data across borders, both for C and P.

DPA must approve BCR following “consistency mechanism”, provided that it is legally binding
and expressly confers enforceable rights on data subjects.

Acceptance by C or P of the liability

Derogations

1. Explicit consent of individual. Specific, informed, possible risks due to absence of adequacy
decisions and appropriate safeguard
2. Transfer necessary for performance of contract, includes employment contracts. Depends
on nature of goods and services and not the way in which exporter’s operations are
organised.
Travel agent who keeps customer database outside EEA purely for cost and operational
reasons.
3. Public interest- crime prevention, detection, security, tax collection
4. Transfers needed for exercising or defending legal claims
5. Vital interest of data subject or any other person
6. Export of information from public registers, provided the information receiver complies with
any restrictions, not the complete register.
7. Not repetitive transfers-
Concerns limited number of data subjects, necessary for purpose of compelling legitimate
interests of controller, which are not overridden by interest and rights and freedom of data
subjects, and controller provides suitable safeguards. Controller must inform supervisory
authority and data subjects.

Employment relationships

Member state employment laws may require consultation with work councils for countries
which have strong employee rights and where collection of data significantly impacts employee’s
privacy.

Art. 88- member state may provide for more specific rules around processing of employee’s
personal data. Notify commission of such laws.

Legal basis of processing-

Consent (not best in employer-employee relationship, processing may be unlawful under local
laws), performance of employment contract, compliance with legal obligation to which employer
is subjected to (details to tax authorities), legitimate interests of employer (migration from old
pay roll system to new one; public authorities can’t rely on these grounds).

Sensitive personal data- employer must ensure that it complies with one of exceptions under Art
9 (2), e.g. explicit consent (not good), to carry out obligations under employment laws, social
security and protection laws exercise or defend legal claims (unfair dismissal by former
employee). Poland, Portugal (authorisation of DPA).

Requirement to provide a notice to the employee informing them about the use of data, their
rights, whom to contact etc.
Personal data should be deleted once the employee leaves the job, but different local laws may
require retaining it (health and safety checks, labour, tax laws. Such data should be securely
archived.

Workplace monitoring

Right to privacy must be balanced against the legitimate interests of the employer.

Employer must be careful not to compile a list of blacklists as a part of background check.
Finland requires prior written consent.

Data loss prevention tools

Compliance with data protection principles during monitoring (necessity, legitimacy,

proportionality, transparency). Data to be held securely with access to those who has legitimate
reason to view it.

DPIA must be carried out when the monitoring is likely to result in high risks to rights and
freedom of individuals. Example- company starting to use DLP software.

Less intrusive methods must be used. Monitoring of internet time and regularity of phone calls
to non-work number may be allowed, but not recording the content of websites visited or
telephonic conversations.

Proportionality- wholesale monitoring of all employee to ensure that they are not passing
confidential information would be disproportionate, but to ensure security of IT systems may be
proportionate. Monitoring traffic data generated by emails is fine, but not the content.

Transparency- prior information about monitoring to set the expectations of employees

regarding privacy. Acceptable use policy (AUP). Employees have a right to limited private use of
the employee’s equipment. No covert monitoring allowed except in cases permitted by law.

When an employer detects misuse, it should immediately notify employee. Need to consult work
council, in some cases, before introduction of new technology that will significantly impact work
conditions.

Engagement of work councils- notifying, consulting, seeking approval.

Whistle blowing scheme- US Sarbanes-Oxley Act 2002.

Direct marketing

When and how an individual’s personal data may be used e.g. regulation of unsolicited
commercial messages (anti-spam), use of cookies and similar tech on webpages, emails and push
notifications.

Direct marketing- includes any form of sale or promotion (fundraising, free offer); by any means;
directed to a particular individual; DP law applies only when individual’s personal data is
processed for marketing purpose.

Not considered direct marketing- i) marketing communications not directed at individuals

(untargeted website banner ads, mailings sent to companies without contact persons
mentioned; ii) purely service related messages
GDPR and e-privacy directive- post, phone, fax, email, online advertising

e-privacy- digital marketing. All but not post. Online behavioural advertising (OBA).

Marketing requirements under regulation-

- Lawful basis- unambiguous consent, legitimate interest

- Fair processing notice- informing their personal data will be used for marketing purpose
- Implementing appropriate technical and organisational measures; contracts with service
providers that send direct marketing on their behalf
- Not exporting personal data outside of EEA without adequate protection.

Right to opt-out-

Right to opt-out available even in cases where processing was done on the basis of consent or
legitimate interest.

Individuals are informed of their right to opt-out at the time of first communication, across all
communication channels, free of cost, honour without undue delay, deleted (unless required to
defend a legal claim, compelling legitimate interest, controller’s interest outweigh data subjects
interest), profiling information should also be deleted.

Data controllers must supress rather than delete contact details, so that they don’t send any
marketing emails to them unless they opt-in again. Cs should always cross-reference with their
internal opt-out list and global opt-out registers/ Robinson’s list. Failure to cleanse against
Robinson’s list is generally not a breach of DP laws but only a violation of national laws.

e-privacy directives impose a consent and information requirement, exception- information

collected for sale of a product or services.

e-privacy directive to be implemented through national laws.

Postal marketing-

e-privacy directive does not apply. No express requirement to obtain consent in e-privacy
directives. Cs can rely on legitimate interest grounds. Factors to be taken into consideration-
existing customer who would expect to receive marketing emails; nature of products and
services; individual has opted-out. If none applies consent may be needed to legitimise sending
of postal marketing.

Telephone marketing-

Consent needed for automated calling system. Art 13 (3) of directive requires member states to
ensure that individuals have means to opt-out free of charge. Prior opt-in consent for phone
marketing (Austria, Hungary Slovenia).

Applies both to B2B and B2C phone marketing.

e-communication-

Cs to obtain prior (opt-in) consent and present a fair processing notice.

Soft-opt in- direct marketing by email to individuals whose details are obtained “in the context
of sale of product or services” (may include pre-sales communication, registering website
account, submitting a competition). Only own similar products and services can be marketed
(cannot share details with affiliated group companies), C should clearly provide an opportunity
to opt-out both at the time of collection of details and in each subsequent marketing
communication.

Regulation will apply when processing employee’s contact details for B2B marketing.

Fax marketing-

Cs to obtain prior opt-in consent from individuals.

Location based marketing-

e-privacy directive mandates specific consent and opt-out provision.

Location data- any data processed in electronic communications network or by e-comm service,
indicating the geographical position of the terminal equipment of a user of a publicly available
e-comm service.

Example- friend’s upload details of individual’s location on to social networking site. E-privacy
directive do not apply, other privacy considerations do.

Prior information to individuals about type of location data collected and processed; purpose
and duration of processing, whether data transmitted to 3 rd parties for the purpose of providing
VAS. In most of the cases use of such data for marketing is not mentioned and screen is small for
detailed description.

Right to opt-out of their location data processed for marketing purpose; temporary right to opt
out for each connection to network.

OBA

Website publishers, 3rd party ad networks which serve OBA on behalf of publishers (may track
individual’s behaviour across multiple website)

Advertiser wishing to reach target audience instruct ad-networks to serve ad on their behalf. Ad-
networks partner with multiple website publishers. When individual visits a website that has
partnered with ad-network, ad-network places a cookie on the individual’s computer. Cookie is
assigned a unique identifier. Ad-network records identifier assigned to cookie in their database,
and assigns a profile to that identifier. When an individual later visits the website ad-network
looks up for profile and delivers ads based upon interest.

Responsibility-

Ad-networks- data controllers as they have complete control over purpose and means. They rent
out spaces from publishers.

Website publisher- may become a joint-data controller as they engage ad-networks to serve
OBAs. They owe certain degree of responsibility towards visitors. They have to agree
contractually who will notify the visitors, how visitors will be offered ability to refuse.
Advertisers- independent controller for targeted adverts through their website.

e-privacy directive applies to OBA irrespective of whether information collected is PD or not.

Prior informed consent required with active participation of the individual. Opt-out mechanism
which involve a passive user are not sufficient. Use of browser settings is generally insufficient to
obtain consent.

Website serving 3rd party cookies must give information about such third party.

Internet technologies and communications

Cloud computing- provision of IT services over internet.

IaaS- supplier only provides remote access to use of computing resources, user remains
responsible for maintaining both platforms and applications.

PaaS- supplier provides access to operating platform and hardware, user remains responsible for
maintaining applications.

SaaS- where supplier provides infrastructure, platform and application.

Cloud services commonly have the following features-

Services infrastructure is shared among different customers, located at different countries,

transferred around infrastructure, supplier determines location, security measures and services
standards.

Weltimmo’s case on “establishment” held that it has to be interpreted based upon “degree of
stability of arrangement” and “where is the effective exercise of activities” (website targeting
Hungarian customer in Hugarian language, representative, bank account)

Google v. Spain- economic link b/w non-EU controller personal data and EU establishment.

Cloud service providers must consider Art 3 (territorial scope), even if processing operations are
not directly subject to regulation, customers will be obliged to impose strict data processing
contracts on cloud service provider.

In supply of services situation, customer is the C and supplier is the P, but this can not be
assumed in the context of cloud computing.

Determination of “essential elements” of means of processing could result in a party making

such decision being considered as a C.

International data transfers- under the regulation, member states will be unlikely to impose
additional formalities, such as permits, for certain international transfers.

Customers as Cs have some options to demonstrate adequacy-

- Geographically limiting cloud (cost, not feasible)

- European commission approved SCC (2010 C-P clauses). May be unattractive due to multiple
parties and location, must be updated as processing evolves, inflexible clauses.
- Tailored data transfer agreements- need approval by regulators
- BCRs- once a supplier’s BCRs are approved, he gets a safe processor status.
- Code of conduct and certification
- Relying upon derogations

Cookies- information that relates to a person who can be identified by reference to an online
identifier is personal data.

Vidal Hall v. Google (even if Google did not knew who was using the device at a particular time,
third party users of device we likely to possess information)

Consent requirement for cookies, except those which are necessary.

IP addresses- both static and dynamic IP address will be personal data in the hands of ISPs,
because ISP can link the IP address back to a particular customer (Breyer v. Germany).

Search engines-

Google v. Spain- search engines are also controllers of personal data, as they play a decisive role
in overall dissemination of data and there liable to significantly effect fundamental rights of
privacy of individuals.

Search engines outside EEA are also likely to be subjected to the regulation in relation to the
processing of personal data contained in third party web pages, if they have an establishment in
the EU whose activities are “economically linked” to search engine’s core activities.

Data retention period must comply with the principle of proportionality. WP recommended to
retain for max of 6 months.

Informed consent, fair processing notices, right to opt-out of profiling.

Data subjects of personal data contained in 3 rd party web pages also have a right to ask search
engines to remove these links in certain situations.

Social networking services-

Online communication platforms that enable publication and exchange of information and
determining use of personal data for advertising purposes. SnS are Controllers.

When apps are designed to run on SnS, they too become controller of users personal data. SnSs
should ensure that app providers should comply with European data protection laws.

Household exception- when SNS user uploads personal data upload their own or third party data
for personal or household reasons. Household exception would not apply-

- SNS used as a platform by an organisation and a person using SNS is acting behalf of
organisation. When user adds personal data relating to third parties they are controllers of
such data.
- User knowingly extends access to personal data beyond their selected contacts.
- Use of PD for journalistic, artistic or literary purpose.

Sensitive personal data-

Unless the data subject has published the information themselves, explicit consent is required to
make it available on internet.
 When PD data of a third party is obtained from SNS users and aggregated to form profiles of
individuals who are not members of SNS, WP 29 considers such processing lacks legal basis as
the subject of new profile is not aware of it.

Children’s data-

Sensitive PD is not requested, default privacy friendly settings are adopted, not targeted with
direct marketing, parental consent is obtained.

Apps on mobile devices

- App collects data and sends to app developer’s server- app developer is the controller
- App collects data but does not send anywhere- data remains on device- User is the
controller
- Hosting and analytics providers acting on behalf of app developers- processors
- Ad provider processing data for their own purpose- controller
- App stores, OS, device manufacturers- data controllers if processing data relating to user’s
interaction with the app.

Prior consent required to install cookies through apps

Layered notices

Consent will be required for processing intimate data relating to location. Consent for data
processing which is not essential for provision of apps functionality will generally be not valid if
user has to give such consent to use the app.

IoT

Device manufacturers will have to build consent mechanisms in the devices itself. Wirelessly
broadcast information on data subject’s mobile, stickers notifying individuals that their
information is being collected.

Information provision obligations

Transparency is vital when “consent” and “legitimate interest are considered as a basis of
processing. For a consent to be valid it needs to be informed. Similarly, for assessment of legitimate
interest regard should be taken of the fact whether a data subject can reasonably expect at the time
and in the context of collection of personal that processing for that purpose would take place.
Controllers are more likely to be able to support legitimate interest claim when data subject is given
information about how they personal data will be processed.

Directive required that controllers notify their processing to the competent supervisory authority.
Data subjects could consult the notification to get more information about the processing. The
regulation removes this general notification requirement.

Data subject has a right to receive certain information from the controller, regardless of whether it
was provided by data subject directly (Art. 13) or through a third party (Art. 14).

Art. 14 (categories of PD, source)+ obligations under Art 13

No requirement to inform data subject when PD is a statutory or contractual requirement, and

require them to oblige to provide PD and consequences of not doing so.
Situations in which additional information is required

1. Data subjects have a further right to object to processing of their PD where-

- processing is conducted on the basis of controller’s legitimate interest or is necessary for
performance of task in public interest;
- For the purposes of direct marketing
2. Where PD is transferred to a third country on the basis of controller’s legitimate compelling
interest; consent, where data subject must be informed of possible risks of such transfer due
to absence of adequacy decision or appropriate safeguards.

Rights pursuant to BCR

3. New purpose of processing

4. Essence of arrangement of multiple controllers
5. Personal data breaches

When information should be provided to data subjects

Art. 13 at the time of obtaining personal data

Art. 14- within a reasonable period, latest within 1 month of obtaining; at the time of first
communication to data subject; first disclosure to recipient.

The regulation allows exemption from obligation to provide fair processing information where
processing is carried out for the purpose of journalism, academic artistic or literary expression.

Requirement of prior informed consent of the user under e-privacy directive i.e. information about
sending of cookies and purpose of cookies; user having been provided this information must consent
before cookie is placed on their device.

Fair processing notices

The requirement to “provide” fair processing information under Art. 13-14, leaves controllers to
determine whether they will actively communicate the information required or simply make it
readily available to data subjects (in a privacy policy). Determining factors-

- Level of information already available to data subject

- Whether there is any element of processing which data subject may find objectionable
- Whether consequences of supplying or not supplying their PD is clear
- Nature of PD collected and processed
- Providing fair processing information through the method by which PD is collected

Art. 13 and 14- the requirement is to provide the information

Art. 21 (4)- information about right to object to certain types of processing is to be “explicitly bought
to the attention of the data subject, at the latest at the time at which controller communicates with
the data subject.

Layered fair processing notices

The concept of layered fair processing notices was introduced in Berlin Memorandum of March,
2004. Short initial notice and further detailed information is available should the wish to know more.
Just-in time notices

Provision of information about processing at a specific point of data collection.

Dashboards, Visualization through standard icons.

In all cases controller should make available full unlayered version of their fair processing
information.

Fair processing notices in case of drones-

- Using sign posts in areas where drones are operated to collect information
- Using social media, newspaper to inform data subjects
- Making information available on operators website
- Taking steps that drone itself is visible
- Ensuring that the operator is clearly visible using signage on drone

Fair processing notices on IoT

Printing QR code or flash code on items equipped with sensors, enabling data subjects to access
fair processing information.

Supervision and enforcement

Self-regulation

- Art 5 (2) concept of accountability

- Art 37-39- requirement of DPO
- Art 40-43- code of conduct and certification schemes
- Art 28- controllers have regulatory functions over processors and processors must regulate
sub-processors.

Accountability-

- Focus on demonstrable proof of compliance- performance testing and similar exercise, make
it adjust and refine its activities
- Cs relationships with P (Art. 28)- pre-contractual due diligence, contract, post-contractual
requirements for demonstrable compliance, audits, inspections, delivery-ups, breach
notifications (Art. 33), Ps to cascade the requirements to sub-Ps (Art. 28 (4))
- Art 33-34- breach notifications to DPAs and data subjects in serious cases.
- Art 34- DPIA in cases where processing is likely to result in high risk to rights and freedoms of
individuals
- DPO- quasi-DPA
- Art 40 encourages representative bodies for C and Ps to submit code of conducts for
approval by DPA

Regulation by citizen

Individuals have right to pursue complaints before the DPA for their place of residence, workplace,
cause of action.

Class action e.g. Vidal Hall, Europe v. Facebook

Liability and compensation claim

Art. 82- rights of citizens to pursue compensation claims against C and P. When multiple parties are
at fault, any C or P can be held liable for all the damage, in which case, compensating party can seek
indemnities from others.

Material and non-material damage, damage includes distress.

Article 78- complaint before the court against DPA, if they don’t take any action within 3 months.

DPAs are the only bodies which are equipped with administrative, supervisory and enforcement
powers.

Article 51 and 52- DPAs to be independent regulators.

Article 36 (4)- Member states to consult DPAs during legislature making.

Art. 57 DPAs tasks-

- Promote awareness
- Handle complains and carry out investigations
- Support consistent application of regulation internationally
- Monitor development of information and communication systems

Art 35- DPIA

Requires DPAs to public list of situations where DPIA should be carried out and where not. Art 36
requires Cs to consult with DPAs where DPIA indicates high risk.

Regulators powers

- Art 58 (1) Investigatory powers intended to give the DPAs access to all materials, evidence
and facilities.
- Art. 24- accountability documentation (policy framework)
- Article 25- privacy by design and default
- Article 28- processors contract
- Art 30- data processing records
- Art 33- breach logs
- Art 24 and Art 35- risk assessment
- Art 58- audits, inspection of premises and equipment

Art 58 (2)- Corrective powers- warn C and Ps

Art 58 (3)- advisory powers (code, certifications, seals etc.)

DPAs can regulate C and Ps established in their territories. In cross-border processing (MNcs and
within member states), lead authority has the competence.

Art. 60- Where C and Ps are established in multiple territories, the question of regulatory
competence turns to location of the “main establishment” i.e. where decision making for the
processing is being done.
Individual makes complain to one of the DPAs. If the complaint is made to non-lead authority, DPA
that is asserting competence needs to notify the lead authority, which may or may not trigger a
battle of competence. If the lead authority rejects the assertion and wants to take it up itself,
cooperation procedure under Art 60 applies. The lead authority will issue a draft decision to other
concerned DPAs which may trigger a reasoned objection or agreement, if lead authority accepts
objection it can issue a revised decision, until a consensus is reached. If reasoned objections are
rejected must follow the consistency mechanism (DPAs cooperate with each other). If draft decision
is accepted, lead DPA notify C and Ps at their main establishment, other DPAs and EDPB.

EDPB- successor of WP 29. Chairperson, heads of DPAs, EDPB supervisor, and commission’s
delegate.

DPA’s send their decisions to EDPB for opinions.

The urgency procedure

In exceptional circumstances DPA must take an urgent action. Art 66 allows DPAs to take provisional
measure subject to a 3 month life span. They have to refer to other DPAs, EDPB and commission.
After 3 months provisional measures lapse, DPA can request an urgent decision from EPDB.

Penalties

Art 88 (4)

Issues covered-

- Children consent
- Data protection by design and default
- Engagement of processor by controller
- Record of processing
- Cooperation with regulators
- DPIA
- Security
- Breach notification
- DPIAs
- DPOs
- Code of conduct and certifications

Non-undertaking (not engaged in economic activity)- upto 10 million Euros

Undertakings- Higher of 10 million Euros or 2% of worldwide annual turnover in preceding years for
undertaking (single entity)

Art 88 (5)

Issues covered-

- Data protection principles

- Lawfulness of processing
- Consent
- Processing of special cat data
- Data subject rights
- International transfers
 - Failures to comply with DPAs investigatory and corrective powers

Non-undertaking (not engaged in economic activity)- upto 20 million Euros

Undertakings- Higher of 20 million Euros or 4% of worldwide annual turnover in preceding years

for undertaking

Fines must be effective proportionate and dissuasive

Accountability requirements

Different obligations with which an organisation must comply with in order to evidence of their
compliance with data protection framework.

Data controller to demonstrate compliance with 6 principle of Art 5 (1) i.e. lawfulness, fairness and
transparency, purpose limitation, data minimisation, storage limitation, integrity and confidentiality.

Art 24 (1)- data controllers to implement appropriate tech and org measures. Take measures to
review and update taking into account nature, scope, purpose, context, of the processing and risks
to the rights and freedoms of individuals.

Recital 57

High risk processing examples- include processing which gives rise to ll

- discrimination,
- identity theft, fraud, financial loss,
- damage to reputation,
- loss of confidentiality of PD protected by professional secrecy,
- unauthorised reversal of pseudonymysation,
- significant economic or social disadvantage,
- processing which might deprive a person of their right of freedom or prevent them from
exercising their control over their personal data;
- processing special cat of personal data,
- personal data of children or criminal convictions.

Privacy policy

Scope (to whom it applies and type of processing activities),

Data protection by default and design

Different tech and org measures that data controller is required to implement as a part of overall
approach of protecting rights and freedoms of individuals with respect to the privacy of their
personal data. Privacy is the key consideration from the outset.

Privacy by design- systems designed to promote privacy and data protection compliance from the
outset of development of new products, services or technologies. It does not only apply to planning
and execution stage but also should address ongoing operation and management to deal effectively
with entire life cycle of any personal data the company processes.

Privacy by default-
Companies to implement tech and org measures to ensure, by default, only personal data necessary
for each specific purpose of the processing are processed. Limit and minimise personal data
collected and extent of the processing. By default, data is kept only for the time necessary for the
product or service. In practice, it means that strictest privacy settings apply automatically once a
customer acquires a new product or service.

Art. 25- when implementing appropriate tech and org measures companies should take into
account-state of art, cost of implementation, nature, scope, content and purpose of processing, risks
of likelihood and severity for rights and freedoms of natural person.

Measures- min amount of data being processed, pseudonymisation, allowing individuals greater
control and visibility over their data, security standards.

Companies should review their processing systems and operations to determine whether PD is
appropriately mapped, classified, labelled, stored, automated deletion systems, data collection
forms are drafted appropriately, pseudonymysation, del of data of individuals who have objected to
receiving direct marketing messages, PD is structured in a commonly used, machine readable and
interoperable form.

Data processors to keep a record of- name and contact details of processors, their representatives
and DPOs, name and contact details of controller for whom the processor acts, categories of
processing carried out, details of transfer of data to third country and appropriate safeguards,
general des of Ps org and tech measures.

No record keeping requirement for companies with less than 250 employees, except when
processing is likely to result into risks to rights and freedoms of data subject; processing is frequent;
and involves special categories data.

DPIA

Article 35- Regulation makes it mandatory for companies (C or P) to undertake a DPIA for new
projects that are likely to create “high risk” or before proceeding with “risky” PD processing.

Art 35 (3)- activities which are considered risky include- i) systematic and extensive profiling that
produces legal effects or significantly effects individuals; ii) use special cat data on a large scale; iii)
systematically monitoring public areas on a large scale.

Art 35 (7)- if processing is high risk, DPIA must contain and document-

- systematic des of processing activities, purpose and legitimate interest pursued by the
controller
- assessment of necessity and proportionality wrt to purpose
- assessment of risk and measures adopted to address the risks

in such cases, controller is required to consult DPA. DPAs take upto 8 weeks to consider a referral
from the controller. There is an option to extend this period by 6 weeks and DPA has inherent
powers to suspend the timeline if DPA is waiting for receive information from Contoller.

DPO

Under the regulation not every company must appoint a DPO. The circumstances in which C or P
must designate DPO are-
Where processing is carried out by public authorities; core activity of C and P consists of regular
systematic monitoring people at large scale; core activity (key operations, need not be data analytics
but processing is inextricable part of C or Ps business) consists of processing special cat data on large
scale (number of data subject concerned, volume of data, duration of activity, geographical extent).

Territorial and material scope of GDPR

Art 3 (1) of regulation applies to-

Processing of PD “in context of activities” of an establishment in the EU, regardless of whether

processing takes place in the Union or not

Territorial scope-

- EU established C and Ps;

- Org which offer to sell goods or services to or who monitor individuals in the EU.

Art 3 (1); recital 22 Establishment

Weltimmo v NAIH- “effective and real exercise of activity through stable arrangements, even a
minimal one”. The test is whether necessary human and technical resources are available.

“in the context of activities”

Google v. Spain

CJEU held that there is sufficient connection b/w the activities of Google SL and search engine’s data
processing activities, such that the activities are inextricably linked, since the activities relating to
advertising space constitute the means of rendering search engine economically profitable.

Being a part of the same corporate group is not sufficient to prove “inextricably linked”.

Applies to overseas companies with EU offices which market EU services paid for my membership
fees.

“Processor”

Applies to data processing where data processor has an EU establishment, notwithstanding that data
controller, subject and processing all are taking place outside the EU.

If a controller is established in more than one member state, the courts and DPAs would still turn to
the concept of “context of activities of an establishment” (VKI v. Amazon)

Targeting EU data subjects-

Recital 23 provides that in determining if an organisation is offering goods and services in the EU, it
should be ascertained that whether it is apparent that “C or P envisages offering goods and services
to data subjects in one or more members states in the Union”

Relevant factors- use of the EU language, display of prices in EU currency, ability to place orders in
EU languages and reference to EU users and customers.
According to CJEU, in considering whether goods or services are targeted to EU member state,
consideration should be given to that fact that before the conclusion of contract, it is apparent from
the website and trader’s overall activity that trader was envisaging doing business with consumers
domiciled in the EU.

Intention to target EU customers is reflected in-

- Payment made to search engine to facilitate access by the targeted members

- International nature of relevant activity (tourist activity)
- Mention of telephone numbers with international code
- Mention of TLD name
- Mention of internal clientele composed of customers domiciled in member states

Monitoring of behaviour-

Recital 24- monitoring includes tracking online to create profiles (e-commerce companies and ad
networks)

Material scope of regulation-

Exemptions-

1. Art. 2 (2) (b)- processing of PD in course of activity that is outside the purview of scope of EU
law. Examples, public security, defence, national security.

2. Art 2 (2) (c)- data processing by a natural person in the course of purely household and
personal activity is exempt. Regulation will apply to C and Ps which provide means for
processing PD for such personal and household activities.

In Lindquist, CJEU held that when the processing consisted of publication on the internet so
that the data is made accessible to an indefinite number of people, household exemption is
not available.

Rynes- CCTV for private residence that captured images of public footpath outside home
was not a purely personal or household activity, in contrast with keeping an address book.

3. Art 2 (2) (d)- exempts processing of PD by competent authorities for the purposes of
prosecution, detection and criminal penalties, including safeguarding against prevention of
threats to public security.

The gap is filled by LEDP directive which relates to personal data processed by the
competent authorities for the purpose of criminal offences.

Regulation will apply-

- Where competent authority is processing data for purposes other than the purposes of LEDP
- Competent authority transfers data to another authority not covered under LEDP
- Competent authority transfers data to another authority covered under LEDP but for a
different purpose.
- Processors processing data on behalf of competent authority are subject to regulation for
activities outside LEDP.

4. EU institutions are not covered by regulation.

 Data processing principles-

1. Lawfulness, fairness and transparency

Lawfulness consistent with all applicable laws in a given circumstance- consent for a
specified purpose, contract performance, legal obligation, vital interest, public interest,
legitimate interest of controller/3rd party, except where such interest is the interests or
fundamental rights and freedom of data subject, e.g. child.

Fairness- data subject must be aware that their PD will be processed, including how the
data will be collected, stored and processed, to allow them to take an informed decision,
and to enable them to exercise their rights.

In certain case, automatic processing is allowed under law and is considered fair, regardless
of data subject’s knowledge or preference e.g. tax authorities of data which is shared by
employer who is under duty to do so, irrespective of whether employee is aware of it or not.

Fairness also requires assessment of how the processing will effect the data subject. Unfair,
for example, if the system is programmed to make automatic decisions regarding the pricing
of flights and hotel based upon the preferences collected from the browsing history of the
individual, and increase prices based on it.

Transparency means controller must be open and clear towards the data subject when
processing PD. Article 13 and 14.

Transparency also requires that information is provided in timely manner. The information
must be provided in clear concise and easy to understand manner.

2. Purpose limitation

Whether secondary use is compatible with the original purpose? Factors considered-
- Link b/w further purpose and original purpose
- Context and reasonable expectation of data subject
- Nature of data
- Consequences of intended further use
- Existence of appropriate safeguard
- Whether for statistical, public interest, scientific or historical research purpose.

If the secondary purpose is incompatible, a separate legal ground will be required for processing
(e.g. consent).

Examples-

- Fitness mobile app to advise fitness routine to clients using such information for improving
the app is compatible.
- App to monitor blood sugar levels, sharing data with person marketing diabetes medication
is not compatible.
- Health professional sharing information with insurance company is not compatible.

3. Data minimisation-
 Data controllers must only collect and process personal data that is relevant, necessary and
adequate. The practical application of this principle requires two concepts- necessity and
proportionality.

Necessity- whether the data collected is suitable and reasonable for the purpose. Data will
be excessive if the purpose can be achieved by removing some data fields. Not storing date
of birth when generic age is enough.

Proportionality- consider the amount of data to be collected. Save everything approach is

against the principle of minimisation. Example- using biometric data to identify individuals if
they can be identified through ID cards.

4. Accurate, up to date

5. Storage limitation- data must not be kept for longer than necessary for the purpose for
which it is processed. Personal data may be stored for longer periods only for archiving
purpose or in anonymised form.

Lawful processing criterion

Art 6- lawfulness of processing

Exceptions- journalism, free speech, research, public interest.

1. Consent-
Freely given- data subject should have a choice not to give or withdraw consent at any time.
Request for consent must be presented in a manner clearly distinguishable from other
matters.
Performance of contract should not be conditioned to consent. Requirement to obtain new
consent is relaxed for research purposes.
For consent to be informed the data subject should at least be aware of the identity of
controller and the purpose of processing.
Actively ticked box gives an indication of unambiguous consent. Pre-ticked box may not
indicate unambiguous consent.
Consent must be obtained before processing the data.
Consent requires express indication of wishes whereas opt-out (eg. pre-ticked box) works on
the basis of lack of action.
Art 6 does not require explicit consent like Art 9 (special cat)
Controllers advised to consider other legitimate criterion to process children’s data.

2. Processing that meets requirement of necessity

Except consent, all remaining criterion under Art 6 require that processing is necessary for
certain reasons. The processing must be necessary for the stated purpose.
- Performance of a contract
- To fulfil legal obligation of controller under EU law.
- Vital interest- reliance on this principle should be taken only when processing can not
manifestly be done based on other legal basis.
- Performance of task in public interest or in exercise of official authority. Right to object
should be available with the data subject.
- Legitimate interest of controller or third party
Public authority can not rely on the ground of public interest, as Recital 47 requires
legislature to provide a law for the legal basis for public authorities to process PD.
Three conditions-
a) Processing must be necessary for the purpose; b) purpose must be a legitimate interest
of C; and c) legitimate interest is not overridden by the interest or fundamental rights
and freedom of data subjects.

For legitimate interest basis, the controller should take into consideration the relationship
between the controller and the data subjects, and the reasonable expectation of data
subjects based upon their relationship.

Legitimate interest exists where there is an appropriate relationship between the data
subject and Controller.

Examples-

- processing of the data for the purpose of preventing fraud

- direct marketing
- sharing of PD within a group of undertakings for admn purposes
- processing client and employee’s PD
- processing of PD to ensure network and IT security.

3. Processing sensitive data

Photos are covered under the definition of biometric only when processed through a specific
technical means that allows the unique indentification of an individual.

Processing of sensitive PD is prohibited, except the following-

a. Explicit consent, except where law provides that prohibition can’t be lifted- in writing or
documented. Combined action of ticking a box and accept button. Just in time consent
notices in addition to broader privacy statements.
b. Processing necessary for the purpose of carrying out obligations and exercising specific
rights of controller or of data subject, in the field of employment, social security and
protection law, so far as authorised by Union or member state law.
c. Vital interest of data subject or any other person physically or legally incapable of giving
consent
d. Processing carried out in course of legitimate activities with appropriate safeguards by a
foundation, association etc. with political religious beliefs, trade union, on condition that
processing relates to members/ former members and person data not disclosed outside
the body without explicit consent of the data subjects.
e. Personal data made public by the data subjects- media interviews
f. Necessary for defence of legal claims or whenever courts are acting in judicial capacity-
insurance company processing data for Mediclaim.
g. Necessary for reasons of substantial public interest, on the basis of law, which shall be
proportionate to the aim pursued- examples of public interest can be public health
services, prevention of crime, prevention of unlawful acts in administration of an org.
h. Processing for medical or social care purposes
 i. Public interest in the area of public health- this criterion is designed to cover processing
of health data by those engaged in public health care and supervision of quality of drugs.
j. Processing necessary for archiving purposes

Surveillance activities

Surveillance can be carried out by public agencies for national security and law enforcement
purposes in a manner to respect individual rights enshrined in the Charter of Fundamental Rights i.e.
Art 7- right to private and family right and protection of PD (Art 8); or by private entities for their
purposes.

Art 23 provides restrictions to restrict the rights of data subjects.

Laid down by the law and constitute necessary and proportionate measure in a democratic society.

In 2014, CJEU declared that data retentive directive is invalid for disproportionately infringing upon
the privacy of individuals.

Video surveillance

CCTV capturing car number and license plate is considered PD, as it can be used to identify an
individual.

Image of individual captured by CCTV is biometric data.

Lawfulness of processing- legitimate interest of controller or a third party. CCTV use should not
override the rights and freedoms of individuals whose PD may be captured.

Biometric data can be processed if any one of the conditions in Art 9 is met e.g. employer-employee,
in public interest for public area, monitoring traffic.

DPIA will have to be done if-

- Video surveillance is considered to be high risk;

- Systematic monitoring of publicly accessible area
- Required by supervisory authority

DPIA must describe purpose of processing, legitimate interest, assessment of necessity and
proportionality, risks to rights and freedom of data subject, measures to address risks.

If DPIA indicate that risk can’t be mitigated then C must consult with DPA before conducting a
surveillance.

To fulfil the proportionality and adequacy requirement, a decision to use CCTV should be made only
when less intrusive methods which do not require image acquisition have been considered and
found inapplicable. The proportionality requirement also applies to type of technology used (facial
recognition, zooming, sound recording). Assess whether images of identifiable individuals are
necessary or image without identifying an individual will also suffice.

Whether key aspect of use of CCTV and processing of footage are proportionate to the purpose.

- Operational and monitoring arrangement- type of cameras, position, visual angles, zooming
option, quality of images, image freezing, possibility of blurring, timing of CCTV recordings
etc.
 - Retention of CCTV footage- only as long as strictly necessary for the purpose
- Need to disclose it to third party such as police
- Can the CctV information may be combine with other information to identify the individual
- Surveillance of areas where people have high expectations of privacy

Data subjects will need to be provided information that CCTV is under operation and they are being
monitored.

Biometric data

The purpose for which biometric data is being processed must be for uniquely identifying a person. If
the biometric data is used for any other purpose, then Art. 9 will not apply but it will still be PD.

Location data

Implicit location information, internet traffic, device based location data. DPIA should be performed
for high risk cases.

Outsourcing

Customers are controllers and supplier are processors.

Outsourcing contract must have elements to conclude that customer exercises a dominant role in
determining the purpose and means of processing.

Binding legal contract between C and P.

Direct legal obligation on suppliers-

Art 27- when processor is not established in the EU, he has to designate a representative, unless the
processing is occasional, does not include large scale processing of special cat data or personal data
relating to criminal convictions, and is unlikely to result into a risk to rights and freedoms of
individuals.

Art.28-

- Processor must not engage any sub-processor without the prior authorisation of controller
- Processing conducted by P on behalf of C must be governed by a written contract
- When processor engages a sub-processor, same data protection requirements are passed on
to the sub-processor by way of a contract. Initial processor remains fully liable for the
performance of the sub-processor.

Art. 29-

Any P or sub-P must not process data except under the instructions of C

Art. 30-

P and its representative must maintain a record of all processing. The requirement is not applicable
to processors who employ less than 250 employees, unless the processing conducted a high risk.

Art. 31-

P to cooperate with DPA

Art- 32-

P to implement appropriate tech and org measures

Art- 33

Notify C about breach without undue delay

Art 37-

Designate a DPO if the core activities consist of processing operations that require a regular and
systematic monitoring of individuals at a large scale, process sensitive data or data on criminal
convictions at a large scale.

Art. 44

P must compy with conditions concerning international transfer of data